[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <55ad62f0-759d-48db-a8b2-6ca0b34380c0@de.bosch.com>
Date: Thu, 4 Sep 2025 08:48:12 +0200
From: Dirk Behme <dirk.behme@...bosch.com>
To: Benno Lossin <lossin@...nel.org>, Greg KH <gregkh@...uxfoundation.org>,
Simona Vetter <simona.vetter@...ll.ch>, Miguel Ojeda <ojeda@...nel.org>, Alex
Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo
<gary@...yguo.net>, Björn Roy Baron
<bjorn3_gh@...tonmail.com>, Andreas Hindborg <a.hindborg@...nel.org>, "Alice
Ryhl" <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, "Danilo
Krummrich" <dakr@...nel.org>
CC: Benno Lossin <benno.lossin@...ton.me>, <rust-for-linux@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH v4 3/4] rust: validate: add `Validate` trait
On 14/08/2025 14:44, Benno Lossin wrote:
> From: Benno Lossin <benno.lossin@...ton.me>
>
> Introduce the `Validate<Input>` trait and functions to validate
> `Untrusted<T>` using said trait. This allows one to access the inner
> value of `Untrusted<T>` via `validate{,_ref,_mut}` functions which
> subsequently delegate the validation to user-implemented `Validate`
> trait.
>
> The `Validate` trait is the only entry point for validation code, making
> it easy to spot where data is being validated.
>
> The reason for restricting the types that can be inputs to
> `Validate::validate` is to be able to have the `validate...` functions
> on `Untrusted`. This is also the reason for the suggestions in the
> `Usage in API Design` section in the commit that introduced
> `Untrusted<T>`.
>
> Signed-off-by: Benno Lossin <benno.lossin@...ton.me>
While experimenting with this I was looking for an example how to use
`Validate::validate`. For example, illustrating how the "very bad idea"
read_bytes_from_network() example from patch 2/4 could be done correctly
with these patches would be nice.
Just to illustrate what I'm thinking about see [1].
Thanks!
Dirk
[1]
diff --git a/rust/kernel/validate.rs b/rust/kernel/validate.rs
index 2a582a572aa5e..688ccd541712a 100644
--- a/rust/kernel/validate.rs
+++ b/rust/kernel/validate.rs
@@ -82,6 +82,7 @@
/// Here too the reason is that `KVec<Untrusted<u8>>` is more
restrictive compared to
/// `Untrusted<KVec<u8>>`.
#[repr(transparent)]
+#[derive(Copy, Clone)]
pub struct Untrusted<T: ?Sized>(T);
impl<T: ?Sized> Untrusted<T> {
@@ -201,6 +202,49 @@ impl<'a, T: ?Sized> Sealed for &'a mut Untrusted<T> {}
/// Care must be taken when implementing this trait, as unprotected
access to unvalidated data is
/// given to the [`Validate::validate`] function. The implementer must
ensure that the data is only
/// used for logic after successful validation.
+///
+/// # Examples
+///
+///```
+/// # use kernel::validate::{Untrusted, Validate};
+///
+/// struct TrustedIndex(u8);
+/// struct TrustedData(u8);
+///
+/// # fn read_bytes_from_network() -> KBox<Untrusted<[u8]>> {
+/// # Box::new(Untrusted::new([1, 0]),
kernel::alloc::flags::GFP_KERNEL).unwrap()
+/// # }
+/// impl Validate<Untrusted<u8>> for TrustedIndex {
+/// type Err = Error;
+///
+/// fn validate(raw: u8) -> Result<Self, Self::Err> {
+/// if raw != 1 {
+/// pr_err!("Invalid index: {}\n", raw);
+/// return Err(EINVAL);
+/// }
+/// Ok(TrustedIndex(raw))
+/// }
+/// }
+///
+/// impl Validate<Untrusted<u8>> for TrustedData {
+/// type Err = Error;
+///
+/// fn validate(raw: u8) -> Result<Self, Self::Err> {
+/// // All raw data values are valid
+/// Ok(TrustedData(raw))
+/// }
+/// }
+///
+/// fn example() -> Result{
+/// let rawbytes = read_bytes_from_network();
+/// let index = rawbytes[0].validate::<TrustedIndex>()?;
+/// let data =
rawbytes[usize::from(index.0)].validate::<TrustedData>()?;
+/// assert_eq!(data.0, 0);
+/// Ok(())
+/// }
+/// # example()?;
+/// # Ok::<(), Error>(())
+/// ```
pub trait Validate<Input: ValidateInput>: Sized {
/// Validation error.
type Err;
Powered by blists - more mailing lists