| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250321224557.3847-3-david.laight.linux@gmail.com>
Date: Fri, 21 Mar 2025 22:45:56 +0000
From: David Laight <david.laight.linux@...il.com>
To: linux-kernel@...r.kernel.org
Cc: David Laight <david.laight.linux@...il.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jens Axboe <axboe@...nel.dk>,
David Howells <dhowells@...hat.com>,
Matthew Wilcox <willy@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexander Viro <viro@...iv.linux.org.uk>
Subject: [PATCH next 2/3] iov: Use masked user accesses
Check can_do_masked_user_access() and use mask_user_address() or
masked_user_access_begin() to optimise user access checks.
Read iov->buf before iov->len to ensure accessing the 'masked'
address fails when kernel addresses are converted to ~0ul.
Signed-off-by: David Laight <david.laight.linux@...il.com>
---
lib/iov_iter.c | 44 ++++++++++++++++++++++++++++----------------
1 file changed, 28 insertions(+), 16 deletions(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 623ec43e049a..796ef647bff2 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -19,12 +19,15 @@ size_t copy_to_user_iter(void __user *iter_to, size_t progress,
{
if (should_fail_usercopy())
return len;
- if (access_ok(iter_to, len)) {
- from += progress;
- instrument_copy_to_user(iter_to, from, len);
- len = raw_copy_to_user(iter_to, from, len);
- }
- return len;
+
+ if (can_do_masked_user_access())
+ iter_to = mask_user_address(iter_to);
+ else if (!access_ok(iter_to, len))
+ return len;
+
+ from += progress;
+ instrument_copy_to_user(iter_to, from, len);
+ return raw_copy_to_user(iter_to, from, len);
}
static __always_inline
@@ -49,12 +52,17 @@ size_t copy_from_user_iter(void __user *iter_from, size_t progress,
if (should_fail_usercopy())
return len;
- if (access_ok(iter_from, len)) {
- to += progress;
- instrument_copy_from_user_before(to, iter_from, len);
- res = raw_copy_from_user(to, iter_from, len);
- instrument_copy_from_user_after(to, iter_from, len, res);
- }
+
+ if (can_do_masked_user_access())
+ iter_from = mask_user_address(iter_from);
+ else if (!access_ok(iter_from, len))
+ return len;
+
+ to += progress;
+ instrument_copy_from_user_before(to, iter_from, len);
+ res = raw_copy_from_user(to, iter_from, len);
+ instrument_copy_from_user_after(to, iter_from, len, res);
+
return res;
}
@@ -1326,15 +1334,17 @@ static __noclone int copy_compat_iovec_from_user(struct iovec *iov,
int ret = -EFAULT;
u32 i;
- if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
+ if (can_do_masked_user_access())
+ uiov = masked_user_access_begin(uiov);
+ else if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
return -EFAULT;
for (i = 0; i < nr_segs; i++) {
compat_uptr_t buf;
compat_ssize_t len;
- unsafe_get_user(len, &uiov[i].iov_len, uaccess_end);
unsafe_get_user(buf, &uiov[i].iov_base, uaccess_end);
+ unsafe_get_user(len, &uiov[i].iov_len, uaccess_end);
/* check for compat_size_t not fitting in compat_ssize_t .. */
if (len < 0) {
@@ -1356,15 +1366,17 @@ static __noclone int copy_iovec_from_user(struct iovec *iov,
{
int ret = -EFAULT;
- if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
+ if (can_do_masked_user_access())
+ uiov = masked_user_access_begin(uiov);
+ else if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
return -EFAULT;
do {
void __user *buf;
ssize_t len;
- unsafe_get_user(len, &uiov->iov_len, uaccess_end);
unsafe_get_user(buf, &uiov->iov_base, uaccess_end);
+ unsafe_get_user(len, &uiov->iov_len, uaccess_end);
/* check for size_t not fitting in ssize_t .. */
if (unlikely(len < 0)) {
--
2.39.5
Powered by blists - more mailing lists