| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aDbp4cM3Dmv84bm8@google.com>
Date: Wed, 28 May 2025 10:48:01 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: Boqun Feng <boqun.feng@...il.com>
Cc: Al Viro <viro@...iv.linux.org.uk>, Miguel Ojeda <ojeda@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Arnd Bergmann <arnd@...db.de>,
Andrew Morton <akpm@...ux-foundation.org>, Gary Guo <gary@...yguo.net>,
"Björn Roy Baron" <bjorn3_gh@...tonmail.com>, Benno Lossin <benno.lossin@...ton.me>,
Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>,
Danilo Krummrich <dakr@...nel.org>, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] uaccess: rust: use newtype for user pointers
On Tue, May 27, 2025 at 04:13:03PM -0700, Boqun Feng wrote:
> On Tue, May 27, 2025 at 11:12:11PM +0100, Al Viro wrote:
> > On Tue, May 27, 2025 at 01:53:12PM +0000, Alice Ryhl wrote:
> > > In C code we use sparse with the __user annotation to detect cases where
> > > a user pointer is mixed up with other things. To replicate that, we
> > > introduce a new struct UserPtr that serves the same purpose using the
> > > newtype pattern.
> > >
> > > The UserPtr type is not marked with #[derive(Debug)], which means that
> > > it's not possible to print values of this type. This avoids ASLR
> > > leakage.
> > >
> > > The type is added to the prelude as it is a fairly fundamental type
> > > similar to c_int. The wrapping_add() method is renamed to
> > > wrapping_byte_add() for consistency with the method name found on raw
> > > pointers.
> >
> > That's considerably weaker than __user, though - with
> > struct foo {struct bar x; struct baz y[2]; };
>
> Translate to Rust this is:
>
> struct Foo {
> x: Bar,
> y: Baz[2],
> }
>
> > struct foo __user *p;
>
> UserPtr should probably be generic over pointee, so:
>
> pub struct UserPtr<T>(*mut c_void, PhantomData<*mut T>);
>
> and
>
> let p: UserPtr<Foo> = ...;
>
> > void f(struct bar __user *);
>
> and this is:
>
> pub fn f(bar: UserPtr<Bar>)
>
> and the checking should work, a (maybe unrelated) tricky part though..
>
> > sparse does figure out that f(&p->y[1]) is a type error - &p->y[1] is
>
> In Rust, you will need to play a little unsafe game to get &p->y[1]:
>
> let foo_ptr: *mut Foo = p.as_mut_ptr();
> let y_ptr: *mut Baz = unsafe { addr_of_mut!((*foo_ptr).y[1]) };
> let y: UserPtr<Baz> = unsafe { UserPtr::from_ptr(y_ptr) };
>
> passing y to f() will get a type mismatch, so the detection/checking
> works. To avoid the unsafe game we need field projection [1].
That looks pretty unergonomic. We can do better than that.
Alice
> > struct baz __user * and f() expects struct bar __user *.
> >
> > It's not just mixing userland pointers with other things - it's not mixing
> > userland pointers to different types, etc.
> >
>
> In short, with UserPtr generic over pointee, we can have the similar
> detection as sparse.
>
> [1]: https://github.com/rust-lang/rfcs/pull/3735
>
> Regards,
> Boqun
>
> > In practice I've seen quite a few brainos caught by that...
Powered by blists - more mailing lists