lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <DA7WMFWY8I6Z.2EADXSPL111PP@kernel.org>
Date: Wed, 28 May 2025 17:38:08 +0200
From: "Benno Lossin" <lossin@...nel.org>
To: "Boqun Feng" <boqun.feng@...il.com>, "Al Viro" <viro@...iv.linux.org.uk>
Cc: "Alice Ryhl" <aliceryhl@...gle.com>, "Miguel Ojeda" <ojeda@...nel.org>,
 "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>, "Arnd Bergmann"
 <arnd@...db.de>, "Andrew Morton" <akpm@...ux-foundation.org>, "Gary Guo"
 <gary@...yguo.net>, Björn Roy Baron
 <bjorn3_gh@...tonmail.com>, "Benno Lossin" <benno.lossin@...ton.me>,
 "Andreas Hindborg" <a.hindborg@...nel.org>, "Trevor Gross"
 <tmgross@...ch.edu>, "Danilo Krummrich" <dakr@...nel.org>,
 <rust-for-linux@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] uaccess: rust: use newtype for user pointers

On Wed May 28, 2025 at 1:13 AM CEST, Boqun Feng wrote:
> On Tue, May 27, 2025 at 11:12:11PM +0100, Al Viro wrote:
>> On Tue, May 27, 2025 at 01:53:12PM +0000, Alice Ryhl wrote:
>> > In C code we use sparse with the __user annotation to detect cases where
>> > a user pointer is mixed up with other things. To replicate that, we
>> > introduce a new struct UserPtr that serves the same purpose using the
>> > newtype pattern.
>> > 
>> > The UserPtr type is not marked with #[derive(Debug)], which means that
>> > it's not possible to print values of this type. This avoids ASLR
>> > leakage.
>> > 
>> > The type is added to the prelude as it is a fairly fundamental type
>> > similar to c_int. The wrapping_add() method is renamed to
>> > wrapping_byte_add() for consistency with the method name found on raw
>> > pointers.
>> 
>> That's considerably weaker than __user, though - with
>> 	struct foo {struct bar x; struct baz y[2]; };
>
> Translate to Rust this is:
>
>     struct Foo {
>         x: Bar,
> 	y: Baz[2],
>     }
>
>> 	struct foo __user *p;
>
> UserPtr should probably be generic over pointee, so:
>
>     pub struct UserPtr<T>(*mut c_void, PhantomData<*mut T>);
>
> and
>
>     let p: UserPtr<Foo> = ...;
>
>> 	void f(struct bar __user *);
>
> and this is:
>
>     pub fn f(bar: UserPtr<Bar>)
>
> and the checking should work, a (maybe unrelated) tricky part though..
>
>> sparse does figure out that f(&p->y[1]) is a type error - &p->y[1] is
>
> In Rust, you will need to play a little unsafe game to get &p->y[1]:
>
>     let foo_ptr: *mut Foo = p.as_mut_ptr();
>     let y_ptr: *mut Baz = unsafe { addr_of_mut!((*foo_ptr).y[1]) };
>     let y: UserPtr<Baz> = unsafe { UserPtr::from_ptr(y_ptr) };

Shouldn't this use `wrapping_add` since the pointer shouldn't be
dereferenced?

If we don't use `wrapping_add`, then the field projection operation for
this type must be `unsafe`.

---
Cheers,
Benno

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ