| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251022152006.4d461c8b@pumpkin>
Date: Wed, 22 Oct 2025 15:20:06 +0100
From: David Laight <david.laight.linux@...il.com>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: LKML <linux-kernel@...r.kernel.org>, Christophe Leroy
<christophe.leroy@...roup.eu>, Mathieu Desnoyers
<mathieu.desnoyers@...icios.com>, Andrew Cooper
<andrew.cooper3@...rix.com>, Linus Torvalds
<torvalds@...ux-foundation.org>, kernel test robot <lkp@...el.com>, Russell
King <linux@...linux.org.uk>, linux-arm-kernel@...ts.infradead.org,
x86@...nel.org, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman
<mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
linuxppc-dev@...ts.ozlabs.org, Paul Walmsley <pjw@...nel.org>, Palmer
Dabbelt <palmer@...belt.com>, linux-riscv@...ts.infradead.org, Heiko
Carstens <hca@...ux.ibm.com>, Christian Borntraeger
<borntraeger@...ux.ibm.com>, Sven Schnelle <svens@...ux.ibm.com>,
linux-s390@...r.kernel.org, Julia Lawall <Julia.Lawall@...ia.fr>, Nicolas
Palix <nicolas.palix@...g.fr>, Peter Zijlstra <peterz@...radead.org>,
Darren Hart <dvhart@...radead.org>, Davidlohr Bueso <dave@...olabs.net>,
André Almeida <andrealmeid@...lia.com>, Alexander Viro
<viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara
<jack@...e.cz>, linux-fsdevel@...r.kernel.org
Subject: Re: [patch V4 07/12] uaccess: Provide scoped user access regions
On Wed, 22 Oct 2025 14:49:10 +0200 (CEST)
Thomas Gleixner <tglx@...utronix.de> wrote:
> User space access regions are tedious and require similar code patterns all
> over the place:
>
> if (!user_read_access_begin(from, sizeof(*from)))
> return -EFAULT;
> unsafe_get_user(val, from, Efault);
> user_read_access_end();
> return 0;
> Efault:
> user_read_access_end();
> return -EFAULT;
>
> This got worse with the recent addition of masked user access, which
> optimizes the speculation prevention:
>
> if (can_do_masked_user_access())
> from = masked_user_read_access_begin((from));
> else if (!user_read_access_begin(from, sizeof(*from)))
> return -EFAULT;
> unsafe_get_user(val, from, Efault);
> user_read_access_end();
> return 0;
> Efault:
> user_read_access_end();
> return -EFAULT;
>
> There have been issues with using the wrong user_*_access_end() variant in
> the error path and other typical Copy&Pasta problems, e.g. using the wrong
> fault label in the user accessor which ends up using the wrong accesss end
> variant.
>
> These patterns beg for scopes with automatic cleanup. The resulting outcome
> is:
> scoped_user_read_access(from, Efault)
> unsafe_get_user(val, from, Efault);
> return 0;
> Efault:
> return -EFAULT;
>
> The scope guarantees the proper cleanup for the access mode is invoked both
> in the success and the failure (fault) path.
>
> The scoped_user_$MODE_access() macros are implemented as self terminating
> nested for() loops. Thanks to Andrew Cooper for pointing me at them. The
> scope can therefore be left with 'break', 'goto' and 'return'. Even
> 'continue' "works" due to the self termination mechanism.
I think that 'feature' should be marked as a 'bug', consider code like:
for (; len >= sizeof (*uaddr); uaddr++; len -= sizeof (*uaddr)) {
scoped_user_read_access(uaddr, Efault) {
int frag_len;
unsafe_get_user(frag_len, &uaddr->len, Efault);
if (!frag_len)
break;
...
}
...
}
The expectation would be that the 'break' applies to the visible 'for' loop.
But you need a 'goto' to escape from the visible loop.
Someone who groks the static checkers might want to try to detect
continue/break in those loops.
David
Powered by blists - more mailing lists