Re: io_uring, IORING_OP_RECVMSG and ancillary data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/27/20 2:03 PM, Jann Horn wrote:
> On Mon, Apr 27, 2020 at 9:53 PM Jens Axboe <axboe@xxxxxxxxx> wrote:
>> On 4/27/20 1:29 PM, Jens Axboe wrote:
>>> On 4/27/20 1:20 PM, Jann Horn wrote:
>>>> On Sat, Apr 25, 2020 at 10:23 PM Jens Axboe <axboe@xxxxxxxxx> wrote:
>>>>> On 4/25/20 11:29 AM, Andreas Smas wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Tried to use io_uring with OP_RECVMSG with ancillary buffers (for my
>>>>>> particular use case I'm using SO_TIMESTAMP for incoming UDP packets).
>>>>>>
>>>>>> These submissions fail with EINVAL due to the check in __sys_recvmsg_sock().
>>>>>>
>>>>>> The following hack fixes the problem for me and I get valid timestamps
>>>>>> back. Not suggesting this is the real fix as I'm not sure what the
>>>>>> implications of this is.
>>>>>>
>>>>>> Any insight into this would be much appreciated.
>>>>>
>>>>> It was originally disabled because of a security issue, but I do think
>>>>> it's safe to enable again.
>>>>>
>>>>> Adding the io-uring list and Jann as well, leaving patch intact below.
>>>>>
>>>>>> diff --git a/net/socket.c b/net/socket.c
>>>>>> index 2dd739fba866..689f41f4156e 100644
>>>>>> --- a/net/socket.c
>>>>>> +++ b/net/socket.c
>>>>>> @@ -2637,10 +2637,6 @@ long __sys_recvmsg_sock(struct socket *sock,
>>>>>> struct msghdr *msg,
>>>>>>                         struct user_msghdr __user *umsg,
>>>>>>                         struct sockaddr __user *uaddr, unsigned int flags)
>>>>>>  {
>>>>>> -       /* disallow ancillary data requests from this path */
>>>>>> -       if (msg->msg_control || msg->msg_controllen)
>>>>>> -               return -EINVAL;
>>>>>> -
>>>>>>         return ____sys_recvmsg(sock, msg, umsg, uaddr, flags, 0);
>>>>>>  }
>>>>
>>>> I think that's hard to get right. In particular, unix domain sockets
>>>> can currently pass file descriptors in control data - so you'd need to
>>>> set the file_table flag for recvmsg and sendmsg. And I'm not sure
>>>> whether, to make this robust, there should be a whitelist of types of
>>>> control messages that are permitted to be used with io_uring, or
>>>> something like that...
>>>>
>>>> I think of ancillary buffers as being kind of like ioctl handlers in
>>>> this regard.
>>>
>>> Good point. I'll send out something that hopefully will be enough to
>>> be useful, whole not allowing anything randomly.
>>
>> That things is a bit of a mess... How about something like this for
>> starters?
> [...]
>> +static bool io_net_allow_cmsg(struct msghdr *msg)
>> +{
>> +       struct cmsghdr *cmsg;
>> +
>> +       for_each_cmsghdr(cmsg, msg) {
> 
> Isn't this going to dereference a userspace pointer? ->msg_control has
> not been copied into the kernel at this point, right?

Possibly... Totally untested, maybe I forgot to mention that :-)
I'll check.

The question was more "in principle" if this was a viable approach. The
whole cmsg_type and cmsg_level is really a mess.

-- 
Jens Axboe




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux