On Tue, Jul 12, 2022 at 3:52 PM Marco Elver <elver@xxxxxxxxxx> wrote:
>
> On Fri, 1 Jul 2022 at 16:24, Alexander Potapenko <glider@xxxxxxxxxx> wrote:
> >
> > To avoid false positives, KMSAN needs to unpoison the data copied from
> > the userspace. To detect infoleaks - check the memory buffer passed to
> > copy_to_user().
> >
> > Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
>
> Reviewed-by: Marco Elver <elver@xxxxxxxxxx>
>
> With the code simplification below.
>
> [...]
> > --- a/mm/kmsan/hooks.c
> > +++ b/mm/kmsan/hooks.c
> > @@ -212,6 +212,44 @@ void kmsan_iounmap_page_range(unsigned long start, unsigned long end)
> > }
> > EXPORT_SYMBOL(kmsan_iounmap_page_range);
> >
> > +void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy,
> > + size_t left)
> > +{
> > + unsigned long ua_flags;
> > +
> > + if (!kmsan_enabled || kmsan_in_runtime())
> > + return;
> > + /*
> > + * At this point we've copied the memory already. It's hard to check it
> > + * before copying, as the size of actually copied buffer is unknown.
> > + */
> > +
> > + /* copy_to_user() may copy zero bytes. No need to check. */
> > + if (!to_copy)
> > + return;
> > + /* Or maybe copy_to_user() failed to copy anything. */
> > + if (to_copy <= left)
> > + return;
> > +
> > + ua_flags = user_access_save();
> > + if ((u64)to < TASK_SIZE) {
> > + /* This is a user memory access, check it. */
> > + kmsan_internal_check_memory((void *)from, to_copy - left, to,
> > + REASON_COPY_TO_USER);
>
> This could just do "} else {" and the stuff below, and would result in
> simpler code with no explicit "return" and no duplicated
> user_access_restore().
Sounds good, will do.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
