| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68373397.0c0a0220.2ee6b.2fb9@mx.google.com>
Date: Wed, 28 May 2025 09:02:29 -0700
From: Boqun Feng <boqun.feng@...il.com>
To: Benno Lossin <lossin@...nel.org>
Cc: Al Viro <viro@...iv.linux.org.uk>, Alice Ryhl <aliceryhl@...gle.com>,
Miguel Ojeda <ojeda@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arnd Bergmann <arnd@...db.de>,
Andrew Morton <akpm@...ux-foundation.org>,
Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>,
Andreas Hindborg <a.hindborg@...nel.org>,
Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] uaccess: rust: use newtype for user pointers
On Wed, May 28, 2025 at 05:38:08PM +0200, Benno Lossin wrote:
> On Wed May 28, 2025 at 1:13 AM CEST, Boqun Feng wrote:
> > On Tue, May 27, 2025 at 11:12:11PM +0100, Al Viro wrote:
> >> On Tue, May 27, 2025 at 01:53:12PM +0000, Alice Ryhl wrote:
> >> > In C code we use sparse with the __user annotation to detect cases where
> >> > a user pointer is mixed up with other things. To replicate that, we
> >> > introduce a new struct UserPtr that serves the same purpose using the
> >> > newtype pattern.
> >> >
> >> > The UserPtr type is not marked with #[derive(Debug)], which means that
> >> > it's not possible to print values of this type. This avoids ASLR
> >> > leakage.
> >> >
> >> > The type is added to the prelude as it is a fairly fundamental type
> >> > similar to c_int. The wrapping_add() method is renamed to
> >> > wrapping_byte_add() for consistency with the method name found on raw
> >> > pointers.
> >>
> >> That's considerably weaker than __user, though - with
> >> struct foo {struct bar x; struct baz y[2]; };
> >
> > Translate to Rust this is:
> >
> > struct Foo {
> > x: Bar,
> > y: Baz[2],
> > }
> >
> >> struct foo __user *p;
> >
> > UserPtr should probably be generic over pointee, so:
> >
> > pub struct UserPtr<T>(*mut c_void, PhantomData<*mut T>);
> >
> > and
> >
> > let p: UserPtr<Foo> = ...;
> >
> >> void f(struct bar __user *);
> >
> > and this is:
> >
> > pub fn f(bar: UserPtr<Bar>)
> >
> > and the checking should work, a (maybe unrelated) tricky part though..
> >
> >> sparse does figure out that f(&p->y[1]) is a type error - &p->y[1] is
> >
> > In Rust, you will need to play a little unsafe game to get &p->y[1]:
> >
> > let foo_ptr: *mut Foo = p.as_mut_ptr();
> > let y_ptr: *mut Baz = unsafe { addr_of_mut!((*foo_ptr).y[1]) };
> > let y: UserPtr<Baz> = unsafe { UserPtr::from_ptr(y_ptr) };
>
> Shouldn't this use `wrapping_add` since the pointer shouldn't be
> dereferenced?
>
Good point, so:
let foo_ptr: *mut Foo = p.as_mut_ptr();
let y_ptr: *mut Baz = foo_ptr.wrapping_byte_add(offset_of!(Foo, y[1]));
let y: UserPtr<Baz> = unsafe { UserPtr::from_ptr(y_ptr) };
(using wrapping_byte_add() + offset_of!())
Regards,
Boqun
> If we don't use `wrapping_add`, then the field projection operation for
> this type must be `unsafe`.
>
> ---
> Cheers,
> Benno
Powered by blists - more mailing lists