| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Mar 2020 13:51:44 +0000 From: David Laight <David.Laight@...LAB.COM> To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: [RFC PATCH 00/12] Changes to code that reads iovec from userspace This is RFC because we seem to be in a merge window. The canonical code to read iov[] is currently: struct iovec iovstack[UIO_FASTIOV]; struct iovec *iov; ... iov = iovstack; rc = import_iovec(..., UIO_FASTIOV, &iov, &iter); if (rc < 0) return rc; ... kfree(iov); Note that the 'iov' parameter is used for two different things. On input it is an iov[] can can be used. On output it is an iov[] array that must be freed. If 'iovstack' is passed, the count is actually always UIO_FASTIOV (8) although in some places the array definition is in a different file (never mind function) from the constant used. import_iovec() itself is just a wrapper to rw_copy_check_uvector(). So everything is passed through to a second function. Several items are 'passed by reference' - adding to the code paths. On success import_iovec() returned the transfer count. Only one caller looks at it, the count is also in iter.count. The new canonical code is: struct iov_cache cache; struct iovec *iov; ... iov = iovec_import(..., &cache, &iter); if (IS_ERR(iov)) return PTR_ERR(iov); ... kfree(iov); Since 'struct iov_cache' is a fixed size there is no need to pass in a length (correct or not!). It can still be NULL (used by the scsi code). iovec_import() contains the code that used to be in rw_copy_check_uvector() and then sets up the iov_iter. rw_copy_check_uvector() is no more. The only other caller was in mm/process_vm_access.c when reading the iov[] for the target process addresses when copying from a differ process. This can extract the iov[] from an extra 'struct iov_iter'. In passing I noticed an access_ok() call on each fragment. I hope this is just there to bail out early! It is also skipped in process_vm_rw(). I did a quick look but couldn't see an obvious equivalent check. Patches 1 and 2 tidy up existing code. Patches 3 and 4 add the new interface. Patches 5 through 10 change all the callers. Patch 11 removes a 'hack' that allowed fs/io_uring be updated before the socket code. Patch 12 removes the old interface. I suspect the changes need to trickle through a merge window. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists