Re: [PATCH] [RFC] fs/binfmt_elf: work around bogus ubsan array-bounds warning

From: Kees Cook
Date: Mon Jul 31 2017 - 18:14:05 EST

Next message: Feng Kan: "Re: [PATCH v2 0/5] ACPI: DMA ranges management"
Previous message: Steven Rostedt: "Re: [patch 3/5] scsi/bnx2i: Prevent recursive cpuhotplug locking"
In reply to: Arnd Bergmann: "[PATCH] [RFC] fs/binfmt_elf: work around bogus ubsan array-bounds warning"
Next in thread: Arnd Bergmann: "[PATCH] [RFC] fs/binfmt_elf: work around bogus ubsan array-bounds warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 31, 2017 at 2:52 AM, Arnd Bergmann <arnd@xxxxxxxx> wrote:
> Using copy_to_user instead of __copy_to_user shuts up the warning here
> and is harmless, but is otherwise a completely bogus change as
> the function is still using a mix of __copy_to_user and copy_to_user.
>
> I have not found out why create_elf_tables() uses the __copy_to_user
> version in the first place, and the right answer might be that it
> should simply use copy_to_user() and put_user() everywhere.

IIUC, __copy*() is allowed here because the kernel is operating on an
already sanity checked pointer (i.e. a freshly kernel-allocated
stack). I wouldn't expect swapping in copy*() to have noticeable
performance here, though if there was, it would be a constant change
(the ELF tables are a per-arch fixed size).

-Kees

--
Kees Cook
Pixel Security

Next message: Feng Kan: "Re: [PATCH v2 0/5] ACPI: DMA ranges management"
Previous message: Steven Rostedt: "Re: [patch 3/5] scsi/bnx2i: Prevent recursive cpuhotplug locking"
In reply to: Arnd Bergmann: "[PATCH] [RFC] fs/binfmt_elf: work around bogus ubsan array-bounds warning"
Next in thread: Arnd Bergmann: "[PATCH] [RFC] fs/binfmt_elf: work around bogus ubsan array-bounds warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]