On 2019-09-05, Christian Brauner <christian.brauner@xxxxxxxxxx> wrote: > On Thu, Sep 05, 2019 at 06:19:22AM +1000, Aleksa Sarai wrote: > > A common pattern for syscall extensions is increasing the size of a > > struct passed from userspace, such that the zero-value of the new fields > > result in the old kernel behaviour (allowing for a mix of userspace and > > kernel vintages to operate on one another in most cases). This is done > > in both directions -- hence two helpers -- though it's more common to > > have to copy user space structs into kernel space. > > > > Previously there was no common lib/ function that implemented > > the necessary extension-checking semantics (and different syscalls > > implemented them slightly differently or incompletely[1]). A future > > patch replaces all of the common uses of this pattern to use the new > > copy_struct_{to,from}_user() helpers. > > > > [1]: For instance {sched_setattr,perf_event_open,clone3}(2) all do do > > similar checks to copy_struct_from_user() while rt_sigprocmask(2) > > always rejects differently-sized struct arguments. > > > > Suggested-by: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx> > > Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx> [...] > > + if (unlikely(!access_ok(src, usize))) > > + return -EFAULT; > > + > > + /* Deal with trailing bytes. */ > > + if (usize < ksize) > > + memset(dst + size, 0, rest); [...] > That's a change in behavior for clone3() and sched at least, no? Unless > - which I guess you might have done - you have moved the "error out when > the struct is too small" part before the call to copy_struct_from_user() > for them. Yes, I've put the minimum size check to the callers in all of the cases (in the case of clone3() I've #define'd a CLONE_ARGS_SIZE_VER0 to match the others -- see patch 2 of the series). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature