Re: [PATCH v2 1/4] lib: test copy_{to,from}_user()

From: Linus Torvalds
Date: Tue Mar 21 2023 - 14:11:20 EST

Next message: Vipin Sharma: "Re: [Patch v3 0/7] Optimize clear dirty log"
Previous message: Luis Chamberlain: "Re: [PATCH] fs/drop_caches: move drop_caches sysctls into its own file"
In reply to: David Laight: "RE: [PATCH v2 1/4] lib: test copy_{to,from}_user()"
Next in thread: Mark Rutland: "Re: [PATCH v2 1/4] lib: test copy_{to,from}_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 21, 2023 at 5:25 AM Mark Rutland <mark.rutland@xxxxxxx> wrote:
>
> * arm64's copy_to_user() under-reports the number of bytes copied in
> some cases, e.g.

So I think this is the ok case.

> * arm's copy_to_user() under-reports the number of bytes copied in some
> cases, and both copy_to_user() and copy_from_user() don't guarantee
> that at least a single byte is copied when a partial copy is possible,

Again, this is ok historically.

> * i386's copy_from_user does not guarantee that at least a single byte
> is copied when a partial copit is possible, e.g.
>
> | too few bytes consumed (offset=4093, size=8, ret=8)

And here's the real example of "we've always done this optimization".
The exact details have differed, but the i386 case is the really
really traditional one: it does word-at-a-time copies, and does *not*
try to fall back to byte-wise copies. Never has.

> * riscv's copy_to_user() and copy_from_user() don't guarantee that at
> least a single byte is copied when a partial copy is possible, e.g.
>
> | too few bytes consumed (offset=4095, size=2, ret=2)

Yup. This is all the same "we've never forced byte-at-a-time copies"

> * s390 passes all tests
>
> * sparc's copy_from_user() over-reports the number of bbytes copied in
> some caes, e.g.

So this case I think this is wrong, and an outright bug. That can
cause people to think that uninitialized data is initialized, and leak
sensitive information.

> * x86_64 passes all tests

I suspect your testing is flawed due to being too limited, and x86-64
having multiple different copying routines.

Yes, at some point we made everything be quite careful with
"handle_tail" etc, but we end up still having things that fail early,
and fail hard.

At a minimum, at least unsafe_copy_to_user() will fault and not do the
"fill to the very last byte" case. Of course, that doesn't return a
partial length (it only has a "fail" case), but it's an example of
this whole thing where we haven't really been byte-exact when doing
copies.

So again, I get the feeling that these rules may make sense from a
validation standpoint, but I'm not 100% sure we should generally have
to be this careful.

Linus

Next message: Vipin Sharma: "Re: [Patch v3 0/7] Optimize clear dirty log"
Previous message: Luis Chamberlain: "Re: [PATCH] fs/drop_caches: move drop_caches sysctls into its own file"
In reply to: David Laight: "RE: [PATCH v2 1/4] lib: test copy_{to,from}_user()"
Next in thread: Mark Rutland: "Re: [PATCH v2 1/4] lib: test copy_{to,from}_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]