| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191016052324.2owkg2zochq5l7l3@ast-mbp>
Date: Tue, 15 Oct 2019 22:23:26 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net,
kafai@...com, linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
songliubraving@...com, yhs@...com, Aleksa Sarai <cyphar@...har.com>
Subject: Re: [PATCH v3 1/3] bpf: use check_zeroed_user() in
bpf_check_uarg_tail_zero()
On Wed, Oct 16, 2019 at 05:44:30AM +0200, Christian Brauner wrote:
> In v5.4-rc2 we added a new helper (cf. [1]) check_zeroed_user() which
> does what bpf_check_uarg_tail_zero() is doing generically. We're slowly
> switching such codepaths over to use check_zeroed_user() instead of
> using their own hand-rolled version.
>
> [1]: f5a1a536fa14 ("lib: introduce copy_struct_from_user() helper")
> Cc: Alexei Starovoitov <ast@...nel.org>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> Cc: bpf@...r.kernel.org
> Acked-by: Aleksa Sarai <cyphar@...har.com>
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
> ---
> /* v1 */
> Link: https://lore.kernel.org/r/20191009160907.10981-2-christian.brauner@ubuntu.com
>
> /* v2 */
> Link: https://lore.kernel.org/r/20191016004138.24845-2-christian.brauner@ubuntu.com
> - Alexei Starovoitov <ast@...nel.org>:
> - Add a comment in bpf_check_uarg_tail_zero() to clarify that
> copy_struct_from_user() should be used whenever possible instead.
>
> /* v3 */
> - Christian Brauner <christian.brauner@...ntu.com>:
> - use correct checks for check_zeroed_user()
> ---
> kernel/bpf/syscall.c | 25 +++++++++----------------
> 1 file changed, 9 insertions(+), 16 deletions(-)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 82eabd4e38ad..40edcaeccd71 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -58,35 +58,28 @@ static const struct bpf_map_ops * const bpf_map_types[] = {
> * There is a ToCToU between this function call and the following
> * copy_from_user() call. However, this is not a concern since this function is
> * meant to be a future-proofing of bits.
> + *
> + * Note, instead of using bpf_check_uarg_tail_zero() followed by
> + * copy_from_user() use the dedicated copy_struct_from_user() helper which
> + * performs both tasks whenever possible.
> */
> int bpf_check_uarg_tail_zero(void __user *uaddr,
> size_t expected_size,
> size_t actual_size)
> {
> - unsigned char __user *addr;
> - unsigned char __user *end;
> - unsigned char val;
> + size_t size = min(expected_size, actual_size);
> + size_t rest = max(expected_size, actual_size) - size;
> int err;
>
> if (unlikely(actual_size > PAGE_SIZE)) /* silly large */
> return -E2BIG;
>
> - if (unlikely(!access_ok(uaddr, actual_size)))
> - return -EFAULT;
> -
> if (actual_size <= expected_size)
> return 0;
>
> - addr = uaddr + expected_size;
> - end = uaddr + actual_size;
> -
> - for (; addr < end; addr++) {
> - err = get_user(val, addr);
> - if (err)
> - return err;
> - if (val)
> - return -E2BIG;
> - }
> + err = check_zeroed_user(uaddr + expected_size, rest);
Just noticed this 'rest' math.
I bet compiler can optimize unnecessary min+max, but
let's save it from that job.
Just do actual_size - expected_size here instead.
Powered by blists - more mailing lists