On 2019-09-05, Christian Brauner <christian.brauner@xxxxxxxxxx> wrote:
On Thu, Sep 05, 2019 at 06:19:22AM +1000, Aleksa Sarai wrote:A common pattern for syscall extensions is increasing the size of a struct passed from userspace, such that the zero-value of the new fields result in the old kernel behaviour (allowing for a mix of userspace and kernel vintages to operate on one another in most cases). This is done in both directions -- hence two helpers -- though it's more common to have to copy user space structs into kernel space. Previously there was no common lib/ function that implemented the necessary extension-checking semantics (and different syscalls implemented them slightly differently or incompletely[1]). A future patch replaces all of the common uses of this pattern to use the new copy_struct_{to,from}_user() helpers. [1]: For instance {sched_setattr,perf_event_open,clone3}(2) all do do similar checks to copy_struct_from_user() while rt_sigprocmask(2) always rejects differently-sized struct arguments. Suggested-by: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx> Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx>
[...]
+ if (unlikely(!access_ok(src, usize))) + return -EFAULT; + + /* Deal with trailing bytes. */ + if (usize < ksize) + memset(dst + size, 0, rest);
[...]
That's a change in behavior for clone3() and sched at least, no? Unless - which I guess you might have done - you have moved the "error out when the struct is too small" part before the call to copy_struct_from_user() for them.
Yes, I've put the minimum size check to the callers in all of the cases (in the case of clone3() I've #define'd a CLONE_ARGS_SIZE_VER0 to match the others -- see patch 2 of the series). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature
