lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <55ad62f0-759d-48db-a8b2-6ca0b34380c0@de.bosch.com>
Date: Thu, 4 Sep 2025 08:48:12 +0200
From: Dirk Behme <dirk.behme@...bosch.com>
To: Benno Lossin <lossin@...nel.org>, Greg KH <gregkh@...uxfoundation.org>,
	Simona Vetter <simona.vetter@...ll.ch>, Miguel Ojeda <ojeda@...nel.org>, Alex
 Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo
	<gary@...yguo.net>, Björn Roy Baron
	<bjorn3_gh@...tonmail.com>, Andreas Hindborg <a.hindborg@...nel.org>, "Alice
 Ryhl" <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, "Danilo
 Krummrich" <dakr@...nel.org>
CC: Benno Lossin <benno.lossin@...ton.me>, <rust-for-linux@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH v4 3/4] rust: validate: add `Validate` trait

On 14/08/2025 14:44, Benno Lossin wrote:
> From: Benno Lossin <benno.lossin@...ton.me>
> 
> Introduce the `Validate<Input>` trait and functions to validate
> `Untrusted<T>` using said trait. This allows one to access the inner
> value of `Untrusted<T>` via `validate{,_ref,_mut}` functions which
> subsequently delegate the validation to user-implemented `Validate`
> trait.
> 
> The `Validate` trait is the only entry point for validation code, making
> it easy to spot where data is being validated.
> 
> The reason for restricting the types that can be inputs to
> `Validate::validate` is to be able to have the `validate...` functions
> on `Untrusted`. This is also the reason for the suggestions in the
> `Usage in API Design` section in the commit that introduced
> `Untrusted<T>`.
> 
> Signed-off-by: Benno Lossin <benno.lossin@...ton.me>


While experimenting with this I was looking for an example how to use
`Validate::validate`. For example, illustrating how the "very bad idea"
read_bytes_from_network() example from patch 2/4 could be done correctly
with these patches would be nice.

Just to illustrate what I'm thinking about see [1].

Thanks!

Dirk

[1]

diff --git a/rust/kernel/validate.rs b/rust/kernel/validate.rs
index 2a582a572aa5e..688ccd541712a 100644
--- a/rust/kernel/validate.rs
+++ b/rust/kernel/validate.rs
@@ -82,6 +82,7 @@
 /// Here too the reason is that `KVec<Untrusted<u8>>` is more
restrictive compared to
 /// `Untrusted<KVec<u8>>`.
 #[repr(transparent)]
+#[derive(Copy, Clone)]
 pub struct Untrusted<T: ?Sized>(T);

 impl<T: ?Sized> Untrusted<T> {
@@ -201,6 +202,49 @@ impl<'a, T: ?Sized> Sealed for &'a mut Untrusted<T> {}
 /// Care must be taken when implementing this trait, as unprotected
access to unvalidated data is
 /// given to the [`Validate::validate`] function. The implementer must
ensure that the data is only
 /// used for logic after successful validation.
+///
+/// # Examples
+///
+///```
+/// # use kernel::validate::{Untrusted, Validate};
+///
+/// struct TrustedIndex(u8);
+/// struct TrustedData(u8);
+///
+/// # fn read_bytes_from_network() -> KBox<Untrusted<[u8]>> {
+/// #    Box::new(Untrusted::new([1, 0]),
kernel::alloc::flags::GFP_KERNEL).unwrap()
+/// # }
+/// impl Validate<Untrusted<u8>> for TrustedIndex {
+///     type Err = Error;
+///
+///     fn validate(raw: u8) -> Result<Self, Self::Err> {
+///         if raw != 1 {
+///             pr_err!("Invalid index: {}\n", raw);
+///             return Err(EINVAL);
+///         }
+///         Ok(TrustedIndex(raw))
+///     }
+/// }
+///
+/// impl Validate<Untrusted<u8>> for TrustedData {
+///     type Err = Error;
+///
+///     fn validate(raw: u8) -> Result<Self, Self::Err> {
+///         // All raw data values are valid
+///         Ok(TrustedData(raw))
+///     }
+/// }
+///
+/// fn example() -> Result{
+///    let rawbytes = read_bytes_from_network();
+///    let index = rawbytes[0].validate::<TrustedIndex>()?;
+///    let data =
rawbytes[usize::from(index.0)].validate::<TrustedData>()?;
+///    assert_eq!(data.0, 0);
+///    Ok(())
+/// }
+/// # example()?;
+/// # Ok::<(), Error>(())
+/// ```
 pub trait Validate<Input: ValidateInput>: Sized {
     /// Validation error.
     type Err;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ