| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHk-=wh+zcmrHM5ryM=_71vEwjaRjwRHVgFu8WRG5xsgu3ku+A@mail.gmail.com>
Date: Tue, 24 Jun 2025 08:15:14 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Christophe Leroy <christophe.leroy@...roup.eu>
Cc: Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
Naveen N Rao <naveen@...nel.org>, Madhavan Srinivasan <maddy@...ux.ibm.com>,
Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>, Darren Hart <dvhart@...radead.org>,
Davidlohr Bueso <dave@...olabs.net>, Andre Almeida <andrealmeid@...lia.com>,
Andrew Morton <akpm@...ux-foundation.org>, David Laight <david.laight.linux@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>, linux-kernel@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org, linux-fsdevel@...r.kernel.org,
linux-mm@...ck.org
Subject: Re: [PATCH 2/5] uaccess: Add speculation barrier to copy_from_user_iter()
On Mon, 23 Jun 2025 at 22:49, Christophe Leroy
<christophe.leroy@...roup.eu> wrote:
>
> >
> > (Although I also suspect that when we added ITER_UBUF we might have
> > created cases where those user addresses aren't checked at iter
> > creation time any more).
> >
>
> Let's take the follow path as an exemple:
>
> snd_pcm_ioctl(SNDRV_PCM_IOCTL_WRITEI_FRAMES)
> snd_pcm_common_ioctl()
> snd_pcm_xferi_frames_ioctl()
> snd_pcm_lib_write()
> __snd_pcm_lib_xfer()
> default_write_copy()
> copy_from_iter()
> _copy_from_iter()
> __copy_from_iter()
> iterate_and_advance()
> iterate_and_advance2()
> iterate_iovec()
> copy_from_user_iter()
>
> As far as I can see, none of those functions check the accessibility of
> the iovec. Am I missing something ?
So we still to do this checking at creation time (see import_iovec ->
__import_iovec, and import_ubuf).
In the path you give as an example, the check happens at that
"do_transfer()" stage when it does
err = import_ubuf(type, (__force void __user *)data, bytes, &iter);
but yeah, it's very non-obvious (see __snd_pcm_lib_xfer(), which calls
writer() which is either interleaved_copy() or noninterleaved_copy(),
and then they do that do_transfer() thing which does that
import_ubuf() thing.
So *because* you were supposed to have checked your iov_iters
beforehand, the actual iter code itself at some point just used
__copy_to_user() directly with no checking at all.
And that all was really *much* too subtle, and Al fixed this a few
years ago (see commit 09fc68dc66f7: "iov_iter: saner checks on
copyin/copyout")
Linus
Powered by blists - more mailing lists