On 01/04/2016 02:28 PM, James Hogan wrote:
Hi Leonid,
On Mon, Jan 04, 2016 at 01:33:51PM -0800, Leonid Yegoshin wrote:
On 01/04/2016 12:29 PM, James Hogan wrote:
Add the eva_kernel_access() check in __copy_from_user() like the one in
copy_from_user().
...
Adding a user space check in __copy_from_user() kills the original
design.
The original patch which did the same thing is already merged, so its a
bit late to be arguing with it now.
In any case, like other __ prefixed uaccess functions I believe the
semantics are such that __copy_from_user() can be used instead of
copy_from_user() to avoid multiple redundant access_ok() checks, since
the caller can do it once before calling __copy_from_user().
... and it seems ridiculous that all net code uses copy_from*() besides
one place which uses __copy_from_user_nocache() right after access_ok().
Note - there is no any saving because of splitting address verification
into access_ok() from copy*() in this specific case.
I have yet to see evidence or documentation suggesting that it was
intended never to be used for kernel addresses, which would be
inconsistent with copy_from_user and other __ uaccess functions which do
handle them. Given the awkwardness of auditing whether some of these
functions are ever called with kernel addresses, and the rate of code
change in Linux, taking shortcuts with the semantics, even if possible
to do at this moment, will only result in future code rot.
Well, there are cases then you know inside caller that address is kernel
address space and wants just skip ds set/restore and access_ok(). But it
is not a case of skb_do_copy_data_nocache().
- Leonid.
Cheers
James
