lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 15 Sep 2020 14:53:55 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "io-uring@...r.kernel.org" <io-uring@...r.kernel.org>,
        Jens Axboe <axboe@...nel.dk>,
        "David S. Miller" <davem@...emloft.net>,
        Al Viro <viro@...iv.linux.org.uk>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: [PATCH 0/9 next] Changes to code that reads iovec from userspace


The canonical code to read iov[] from userspace is currently:
	struct iovec iovstack[UIO_FASTIOV];
	struct iovec *iov;
	...
	iov = iovstack;
	rc = import_iovec(..., UIO_FASTIOV, &iov, &iter);
	if (rc < 0)
		return rc;
	...
	kfree(iov);

Note that the 'iov' parameter is used for two different things.
On input it is an iov[] that can be used.
On output it is an iov[] array that must be freed.

If 'iovstack' is passed, the count is actually always UIO_FASTIOV (8)
although in some places the array definition is in a different file
(never mind function) from the constant used.

import_iovec() itself is just a wrapper to rw_copy_check_uvector().
So everything is passed through to a second function.
Several items are 'passed by reference' - adding to the code paths.

On success import_iovec() returned the transfer count.
Only one caller looks at it, the count is also in iter.count.

The new canonical code is:
	struct iov_cache cache;
	struct iovec *iov;
	...
	iov = iovec_import(..., &cache, &iter);
	if (IS_ERR(iov))
		return PTR_ERR(iov);
	...
	kfree(iov);

Since 'struct iov_cache' is a fixed size there is no need to pass in
a length (correct or not!). It can still be NULL (used by the scsi code).

iovec_import() contains the code that used to be in rw_copy_check_uvector()
and then sets up the iov_iter.

rw_copy_check_uvector() is no more.
The only other caller was in mm/process_vm_access.c when reading the
iov[] for the target process addresses when copying from a different process.
This can extract the iov[] from an extra 'struct iov_iter'.

In passing I noticed an access_ok() call on each fragment.
I hope this is just there to bail out early!
It is also skipped in process_vm_rw(). I did a quick look but couldn't
see an obvious equivalent check.

I've only done minimal changes to fs/io_uring.c
Once it has been converted to use iovec_import() the import_iovec()
functions can be deleted.

Patches 1, 2 and 3 need to be applied first.
Patches 4 to 9 can be applied in any order.

There should be measurable (if small) improvements to the recvmmsg() and
sendmmsg() system calls.

David Laight (9):
  1) mm:process_vm_access Call import_iovec() instead of rw_copy_check_uvector()
  2) fs: Move rw_copy_check_uvector() into lib/iov_iter.c and make static.
  3) lib/iov_iter: Improved function for importing iovec[] from userpace.
  4) fs/io_uring Don't use the return value from import_iovec().
  5) scsi: Use iovec_import() instead of import_iovec().
  6) security/keys: Use iovec_import() instead of import_iovec().
  7) mm/process_vm_access: Use iovec_import() instead of import_iovec().
  8) fs: Use iovec_import() instead of import_iovec().
  9) net/socket: Use iovec_import() instead of import_iovec().

 block/scsi_ioctl.c     |  14 ++-
 drivers/scsi/sg.c      |  14 +--
 fs/aio.c               |  34 +++---
 fs/io_uring.c          |  21 ++--
 fs/read_write.c        | 248 ++++++-----------------------------------
 fs/splice.c            |  22 ++--
 include/linux/compat.h |   6 -
 include/linux/fs.h     |   5 -
 include/linux/socket.h |  15 +--
 include/linux/uio.h    |  14 +++
 include/net/compat.h   |   5 +-
 lib/iov_iter.c         | 200 +++++++++++++++++++++++++++++----
 mm/process_vm_access.c |  82 +++++++-------
 net/compat.c           |  17 ++-
 net/socket.c           |  66 +++++------
 security/keys/compat.c |  11 +-
 security/keys/keyctl.c |  10 +-
 17 files changed, 386 insertions(+), 398 deletions(-)

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists