On Fri, Oct 25, 2019 at 1:44 PM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>
> Commit 3d7081822f7f ("uaccess: Add non-pagefault user-space read functions")
> missed to add probe write function, therefore factor out a probe_write_common()
> helper with most logic of probe_kernel_write() except setting KERNEL_DS, and
> add a new probe_user_write() helper so it can be used from BPF side.
>
> Again, on some archs, the user address space and kernel address space can
> co-exist and be overlapping, so in such case, setting KERNEL_DS would mean
> that the given address is treated as being in kernel address space.
>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> ---
LGTM. See an EFAULT comment below, though.
Acked-by: Andrii Nakryiko <andriin@xxxxxx>
> include/linux/uaccess.h | 12 +++++++++++
> mm/maccess.c | 45 +++++++++++++++++++++++++++++++++++++----
> 2 files changed, 53 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> index e47d0522a1f4..86dcf2894672 100644
> --- a/include/linux/uaccess.h
> +++ b/include/linux/uaccess.h
> @@ -337,6 +337,18 @@ extern long __probe_user_read(void *dst, const void __user *src, size_t size);
> extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
> extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
>
> +/*
> + * probe_user_write(): safely attempt to write to a location in user space
> + * @dst: address to write to
> + * @src: pointer to the data that shall be written
> + * @size: size of the data chunk
> + *
> + * Safely write to address @dst from the buffer at @src. If a kernel fault
> + * happens, handle that and return -EFAULT.
> + */
> +extern long notrace probe_user_write(void __user *dst, const void *src, size_t size);
> +extern long notrace __probe_user_write(void __user *dst, const void *src, size_t size);
> +
> extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
> extern long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
> long count);
> diff --git a/mm/maccess.c b/mm/maccess.c
> index d065736f6b87..2d3c3d01064c 100644
> --- a/mm/maccess.c
[...]
>
> +/**
> + * probe_user_write(): safely attempt to write to a user-space location
> + * @dst: address to write to
> + * @src: pointer to the data that shall be written
> + * @size: size of the data chunk
> + *
> + * Safely write to address @dst from the buffer at @src. If a kernel fault
> + * happens, handle that and return -EFAULT.
> + */
> +
> +long __weak probe_user_write(void __user *dst, const void *src, size_t size)
> + __attribute__((alias("__probe_user_write")));
curious, why is there this dance of probe_user_write alias to
__probe_user_write (and for other pairs of functions as well)?
> +
> +long __probe_user_write(void __user *dst, const void *src, size_t size)
> +{
> + long ret = -EFAULT;
This initialization is not necessary, is it? Similarly in
__probe_user_read higher in this file.
> + mm_segment_t old_fs = get_fs();
> +
> + set_fs(USER_DS);
> + if (access_ok(dst, size))
> + ret = probe_write_common(dst, src, size);
> + set_fs(old_fs);
> +
> + return ret;
> +}
> +EXPORT_SYMBOL_GPL(probe_user_write);
>
> /**
> * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
> --
> 2.21.0
>
