[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALNs47s0bpyL1Zo9VmXcyG2X1SKLB3WZdrG+OOCfWi_uQUiYjA@mail.gmail.com>
Date: Sun, 8 Oct 2023 01:41:02 -0400
From: Trevor Gross <tmgross@...ch.edu>
To: Andrew Lunn <andrew@...n.ch>
Cc: FUJITA Tomonori <fujita.tomonori@...il.com>, netdev@...r.kernel.org,
rust-for-linux@...r.kernel.org, miguel.ojeda.sandonis@...il.com,
greg@...ah.com
Subject: Re: [PATCH v2 1/3] rust: core abstractions for network PHY drivers
On Sat, Oct 7, 2023 at 10:48 AM Andrew Lunn <andrew@...n.ch> wrote:
> After reading the thread, we first have a terminology problem. In the
> kernel world, 'user input' generally means from user space. And user
> space should never be trusted, but user space should also not be
> allowed to bring the system to its knees. Return -EINVAL to userspace
> is the correct thing to do and keep going. Don't do a kernel splat
> because the user passed 42 as a speed, not 10.
Yes, sorry about the terminology. I was indeed referring to a user of
this function and am still figuring out the failure modes (thanks also
Greg for the corrections).
> However, what Trevor was meaning is that whoever called set_speed()
> passed an invalid value. But what are valid values?
>
> We have this file which devices the KAPI
> https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/ethtool.h#L1883
>
> says:
>
> /* The forced speed, in units of 1Mb. All values 0 to INT_MAX are legal.
>
> and we also have
>
> #define SPEED_UNKNOWN -1
>
> and there is a handy little helper:
>
> static inline int ethtool_validate_speed(__u32 speed)
> {
> return speed <= INT_MAX || speed == (__u32)SPEED_UNKNOWN;
> }
>
> so if you want to validate speed, call this helper.
>
> However, this is a kernel driver, and we generally trust kernel
> drivers. There is not much we can do except trust them. And passing an
> invalid speed here is very unlikely to cause the kernel to explode
> sometime later.
>
> Andrew
I didn't mean the suggestion to be a way of handling untrusted input,
just a means of providing a fallback value with module author feedback
if something > INT_MAX winds up getting passed somehow.
Agreed that this is more than necessary for such a trivial situation,
the original is of course fine.
Powered by blists - more mailing lists