lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <83969228-bc7c-4eda-8531-53681e7f6600@gmail.com>
Date: Tue, 27 May 2025 21:03:27 +0200
From: Christian Schrefl <chrisi.schrefl@...il.com>
To: Alice Ryhl <aliceryhl@...gle.com>, Miguel Ojeda <ojeda@...nel.org>,
 Alexander Viro <viro@...iv.linux.org.uk>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Arnd Bergmann <arnd@...db.de>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
 Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
 Björn Roy Baron <bjorn3_gh@...tonmail.com>,
 Benno Lossin <benno.lossin@...ton.me>,
 Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>,
 Danilo Krummrich <dakr@...nel.org>, rust-for-linux@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] uaccess: rust: use newtype for user pointers

Hi Alice,

On 27.05.25 3:53 PM, Alice Ryhl wrote:
> In C code we use sparse with the __user annotation to detect cases where
> a user pointer is mixed up with other things. To replicate that, we
> introduce a new struct UserPtr that serves the same purpose using the
> newtype pattern.
> 
> The UserPtr type is not marked with #[derive(Debug)], which means that
> it's not possible to print values of this type. This avoids ASLR
> leakage.
> 
> The type is added to the prelude as it is a fairly fundamental type
> similar to c_int. The wrapping_add() method is renamed to
> wrapping_byte_add() for consistency with the method name found on raw
> pointers.
> 
> Signed-off-by: Alice Ryhl <aliceryhl@...gle.com>
> ---
> This is based on top of the strncpy_from_user for Rust patch.
> ---
> Changes in v2:
> - Change usize to raw pointer.
> - Make field private.
> - Rename wrapping_add to wrapping_byte_add.
> - Add to prelude.
> - Rebase on v4 of strncpy_from_user
> - Link to v1: https://lore.kernel.org/r/20250506-userptr-newtype-v1-1-a0f6f8ce9fc5@google.com
> ---
>  rust/kernel/prelude.rs           |  2 ++
>  rust/kernel/uaccess.rs           | 68 +++++++++++++++++++++++++++++++++-------
>  samples/rust/rust_misc_device.rs |  2 ++
>  3 files changed, 60 insertions(+), 12 deletions(-)
> 
> diff --git a/rust/kernel/prelude.rs b/rust/kernel/prelude.rs
> index baa774a351ceeb995a2a647f78a27b408d9f3834..081af5bc07b0bcefb1da16e5a81fc611b3178aea 100644
> --- a/rust/kernel/prelude.rs
> +++ b/rust/kernel/prelude.rs
> @@ -41,3 +41,5 @@
>  pub use super::init::InPlaceInit;
>  
>  pub use super::current;
> +
> +pub use super::uaccess::UserPtr;
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index e6534b52a1920254d61f8349426d4cdb38286089..02e0561eb1c6f4d813a4ab13a124bfac2d2a5c75 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -14,8 +14,48 @@
>  };
>  use core::mem::{size_of, MaybeUninit};
>  
> -/// The type used for userspace addresses.
> -pub type UserPtr = usize;
> +/// A pointer into userspace.
> +///
> +/// This is the Rust equivalent to C pointers tagged with `__user`.
> +#[repr(transparent)]
> +#[derive(Copy, Clone)]
> +pub struct UserPtr(*mut c_void);
> +
> +impl UserPtr {
> +    /// Create a `UserPtr` from an integer representing the userspace address.
> +    pub fn from_addr(addr: usize) -> Self {
> +        Self(addr as *mut c_void)
> +    }
> +
> +    /// Create a `UserPtr` from a pointer representing the userspace address.
> +    pub fn from_ptr(addr: *mut c_void) -> Self {
> +        Self(addr)
> +    }
> +
> +    /// Cast this userspace pointer to a raw const void pointer.
> +    ///
> +    /// It is up to the caller to use the returned pointer correctly.
> +    #[inline]
> +    pub fn as_const_ptr(self) -> *const c_void {
> +        self.0
> +    }
> +
> +    /// Cast this userspace pointer to a raw mutable void pointer.
> +    ///
> +    /// It is up to the caller to use the returned pointer correctly.
> +    #[inline]
> +    pub fn as_mut_ptr(self) -> *mut c_void {
> +        self.0
> +    }
> +
> +    /// Increment this user pointer by `add` bytes.
> +    ///
> +    /// This addition is wrapping, so wrapping around the address space does not result in a panic
> +    /// even if `CONFIG_RUST_OVERFLOW_CHECKS` is enabled.
> +    pub fn wrapping_byte_add(self, add: usize) -> UserPtr {
> +        UserPtr(self.0.wrapping_add(add))

Why use `ptr::wrapping_add` instead of `ptr::wrapping_byte_add`?

Should not really matter in this case, because `c_void` is 
`repr(u8)`, but I find it a bit weird to use `wrapping_add` here.

With that fixed:

Reviewed-by: Christian Schrefl <chrisi.schrefl@...il.com>

> +    }
> +}
>  
>  /// A pointer to an area in userspace memory, which can be either read-only or read-write.
>  ///
> @@ -179,7 +219,7 @@ impl UserSliceReader {
>      pub fn skip(&mut self, num_skip: usize) -> Result {
>          // Update `self.length` first since that's the fallible part of this operation.
>          self.length = self.length.checked_sub(num_skip).ok_or(EFAULT)?;
> -        self.ptr = self.ptr.wrapping_add(num_skip);
> +        self.ptr = self.ptr.wrapping_byte_add(num_skip);
>          Ok(())
>      }
>  
> @@ -226,11 +266,11 @@ pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
>          }
>          // SAFETY: `out_ptr` points into a mutable slice of length `len`, so we may write
>          // that many bytes to it.
> -        let res = unsafe { bindings::copy_from_user(out_ptr, self.ptr as *const c_void, len) };
> +        let res = unsafe { bindings::copy_from_user(out_ptr, self.ptr.as_const_ptr(), len) };
>          if res != 0 {
>              return Err(EFAULT);
>          }
> -        self.ptr = self.ptr.wrapping_add(len);
> +        self.ptr = self.ptr.wrapping_byte_add(len);
>          self.length -= len;
>          Ok(())
>      }
> @@ -264,14 +304,14 @@ pub fn read<T: FromBytes>(&mut self) -> Result<T> {
>          let res = unsafe {
>              bindings::_copy_from_user(
>                  out.as_mut_ptr().cast::<c_void>(),
> -                self.ptr as *const c_void,
> +                self.ptr.as_const_ptr(),
>                  len,
>              )
>          };
>          if res != 0 {
>              return Err(EFAULT);
>          }
> -        self.ptr = self.ptr.wrapping_add(len);
> +        self.ptr = self.ptr.wrapping_byte_add(len);
>          self.length -= len;
>          // SAFETY: The read above has initialized all bytes in `out`, and since `T` implements
>          // `FromBytes`, any bit-pattern is a valid value for this type.
> @@ -384,11 +424,11 @@ pub fn write_slice(&mut self, data: &[u8]) -> Result {
>          }
>          // SAFETY: `data_ptr` points into an immutable slice of length `len`, so we may read
>          // that many bytes from it.
> -        let res = unsafe { bindings::copy_to_user(self.ptr as *mut c_void, data_ptr, len) };
> +        let res = unsafe { bindings::copy_to_user(self.ptr.as_mut_ptr(), data_ptr, len) };
>          if res != 0 {
>              return Err(EFAULT);
>          }
> -        self.ptr = self.ptr.wrapping_add(len);
> +        self.ptr = self.ptr.wrapping_byte_add(len);
>          self.length -= len;
>          Ok(())
>      }
> @@ -411,7 +451,7 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
>          // is a compile-time constant.
>          let res = unsafe {
>              bindings::_copy_to_user(
> -                self.ptr as *mut c_void,
> +                self.ptr.as_mut_ptr(),
>                  (value as *const T).cast::<c_void>(),
>                  len,
>              )
> @@ -419,7 +459,7 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
>          if res != 0 {
>              return Err(EFAULT);
>          }
> -        self.ptr = self.ptr.wrapping_add(len);
> +        self.ptr = self.ptr.wrapping_byte_add(len);
>          self.length -= len;
>          Ok(())
>      }
> @@ -444,7 +484,11 @@ fn raw_strncpy_from_user(dst: &mut [MaybeUninit<u8>], src: UserPtr) -> Result<us
>  
>      // SAFETY: `dst` is valid for writing `dst.len()` bytes.
>      let res = unsafe {
> -        bindings::strncpy_from_user(dst.as_mut_ptr().cast::<c_char>(), src as *const c_char, len)
> +        bindings::strncpy_from_user(
> +            dst.as_mut_ptr().cast::<c_char>(),
> +            src.as_const_ptr().cast::<c_char>(),
> +            len,
> +        )
>      };
>  
>      if res < 0 {
> diff --git a/samples/rust/rust_misc_device.rs b/samples/rust/rust_misc_device.rs
> index c881fd6dbd08cf4308fe1bd37d11d28374c1f034..e7ab77448f754906615b6f89d72b51fa268f6c41 100644
> --- a/samples/rust/rust_misc_device.rs
> +++ b/samples/rust/rust_misc_device.rs
> @@ -176,6 +176,8 @@ fn open(_file: &File, misc: &MiscDeviceRegistration<Self>) -> Result<Pin<KBox<Se
>      fn ioctl(me: Pin<&RustMiscDevice>, _file: &File, cmd: u32, arg: usize) -> Result<isize> {
>          dev_info!(me.dev, "IOCTLing Rust Misc Device Sample\n");
>  
> +        // Treat the ioctl argument as a user pointer.
> +        let arg = UserPtr::from_addr(arg);
>          let size = _IOC_SIZE(cmd);
>  
>          match cmd {
> 
> ---
> base-commit: f34da179a4517854b2ffbe4bce8c3405bd9be04e
> change-id: 20250506-userptr-newtype-2f060985c33b
> prerequisite-change-id: 20250424-strncpy-from-user-1f2d06b0cdde:v4
> prerequisite-patch-id: d35c479ddb84bacc541dbb226c7911e5a22cad7e
> prerequisite-patch-id: e0c345945dabfa18e9ca11f7fe11f8178d071285
> 
> Best regards,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ