On 4/4/20 11:31 AM, Christoph Hellwig wrote:
On Fri, Apr 03, 2020 at 04:20:24PM +0200, Daniel Borkmann wrote:
With crazy old functions I presume you mean the old bpf_probe_read()
which is mapped to BPF_FUNC_probe_read helper or something else entirely?
I couldn't care less about bpf, this is about the kernel API.
What I mean is that your new probe_kernel_read_strict and
strncpy_from_unsafe_strict helpers are good and useful. But for this
to actually make sense we need to get rid of the non-strict versions,
and we also need to get rid of some of the weak alias magic.
Yeah agree, the probe_kernel_read() should do the strict checks by default
and there would need to be some way to opt-out for the legacy helpers to
not break. So it would end up looking like the below ...
long __probe_kernel_read(void *dst, const void *src, size_t size)
{
long ret = -EFAULT;
mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
if (kernel_range_ok(src, size))
ret = probe_read_common(dst, (__force const void __user *)src, size);
set_fs(old_fs);
return ret;
}
... where archs with non-overlapping user and kernel address range would
only end up having to implementing kernel_range_ok() check. Or, instead of
a generic kernel_range_ok() this could perhaps be more probing-specific as
in probe_kernel_range_ok() where this would then also cover the special
cases we seem to have in parisc and um. Then, this would allow to get rid
of all the __weak aliasing as well which may just be confusing. I could look
into coming up with something along these lines. Thoughts?