| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Oct 2019 15:43:08 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>,
Networking <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next 1/5] uaccess: Add non-pagefault user-space write function
On Fri, Oct 25, 2019 at 3:15 PM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On Fri, Oct 25, 2019 at 02:53:07PM -0700, Andrii Nakryiko wrote:
> > On Fri, Oct 25, 2019 at 1:44 PM Daniel Borkmann <daniel@...earbox.net> wrote:
> > >
> > > Commit 3d7081822f7f ("uaccess: Add non-pagefault user-space read functions")
> > > missed to add probe write function, therefore factor out a probe_write_common()
> > > helper with most logic of probe_kernel_write() except setting KERNEL_DS, and
> > > add a new probe_user_write() helper so it can be used from BPF side.
> > >
> > > Again, on some archs, the user address space and kernel address space can
> > > co-exist and be overlapping, so in such case, setting KERNEL_DS would mean
> > > that the given address is treated as being in kernel address space.
> > >
> > > Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> >
> > LGTM. See an EFAULT comment below, though.
> >
> > Acked-by: Andrii Nakryiko <andriin@...com>
> >
> > [...]
> >
> > > +/**
> > > + * probe_user_write(): safely attempt to write to a user-space location
> > > + * @dst: address to write to
> > > + * @src: pointer to the data that shall be written
> > > + * @size: size of the data chunk
> > > + *
> > > + * Safely write to address @dst from the buffer at @src. If a kernel fault
> > > + * happens, handle that and return -EFAULT.
> > > + */
> > > +
> > > +long __weak probe_user_write(void __user *dst, const void *src, size_t size)
> > > + __attribute__((alias("__probe_user_write")));
> >
> > curious, why is there this dance of probe_user_write alias to
> > __probe_user_write (and for other pairs of functions as well)?
>
> Seems done by convention to allow archs to override the __weak marked
> functions in order to add additional checks and being able to then call
> into the __ prefixed variant.
>
> > > +long __probe_user_write(void __user *dst, const void *src, size_t size)
> > > +{
> > > + long ret = -EFAULT;
> >
> > This initialization is not necessary, is it? Similarly in
> > __probe_user_read higher in this file.
>
> Not entirely sure what you mean. In both there's access_ok() check before
> invoking the common helper.
ah, right, if, yeah, never mind then.
>
> > > + mm_segment_t old_fs = get_fs();
> > > +
> > > + set_fs(USER_DS);
> > > + if (access_ok(dst, size))
> > > + ret = probe_write_common(dst, src, size);
> > > + set_fs(old_fs);
> > > +
> > > + return ret;
> > > +}
> > > +EXPORT_SYMBOL_GPL(probe_user_write);
> > >
> > > /**
> > > * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
> > > --
> > > 2.21.0
> > >
Powered by blists - more mailing lists