From: David Ahern <dsahern@gmail.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Leon Romanovsky <leon@kernel.org>,
Arjun Roy <arjunroy.kdev@gmail.com>,
davem@davemloft.net, netdev@vger.kernel.org, arjunroy@google.com,
edumazet@google.com, soheil@google.com
Subject: Re: [net-next v2] tcp: Explicitly mark reserved field in tcp_zerocopy_receive args.
Date: Mon, 8 Feb 2021 20:20:29 -0700 [thread overview]
Message-ID: <af35d535-8d58-3cf3-60e3-1764e409308b@gmail.com> (raw)
In-Reply-To: <20210208185323.11c2bacf@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
On 2/8/21 7:53 PM, Jakub Kicinski wrote:
> On Mon, 8 Feb 2021 19:24:05 -0700 David Ahern wrote:
>> On 2/8/21 11:41 AM, Jakub Kicinski wrote:
>>> On Sun, 7 Feb 2021 10:26:54 +0200 Leon Romanovsky wrote:
>>>> There is a check that len is not larger than zs and users can't give
>>>> large buffer.
>>>>
>>>> I would say that is pretty safe to write "if (zc.reserved)".
>>>
>>> Which check? There's a check which truncates (writes back to user space
>>> len = min(len, sizeof(zc)). Application can still pass garbage beyond
>>> sizeof(zc) and syscall may start failing in the future if sizeof(zc)
>>> changes.
>>
>> That would be the case for new userspace on old kernel. Extending the
>> check to the end of the struct would guarantee new userspace can not ask
>> for something that the running kernel does not understand.
>
> Indeed, so we're agreeing that check_zeroed_user() is needed before
> original optlen from user space gets truncated?
>
I thought so, but maybe not. To think through this ...
If current kernel understands a struct of size N, it can only copy that
amount from user to kernel. Anything beyond is ignored in these
multiplexed uAPIs, and that is where the new userspace on old kernel falls.
Known value checks can only be done up to size N. In this case, the
reserved field is at the end of the known struct size, so checking just
the field is fine. Going beyond the reserved field has implications for
extensions to the API which should be handled when those extensions are
added.
So, in short I think the "if (zc.reserved)" is correct as Leon noted.
next prev parent reply other threads:[~2021-02-09 3:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-06 20:36 [net-next v2] tcp: Explicitly mark reserved field in tcp_zerocopy_receive args Arjun Roy
2021-02-06 23:28 ` Jakub Kicinski
2021-02-07 8:26 ` Leon Romanovsky
2021-02-08 18:41 ` Jakub Kicinski
2021-02-09 2:24 ` David Ahern
2021-02-09 2:53 ` Jakub Kicinski
2021-02-09 3:20 ` David Ahern [this message]
2021-02-09 6:29 ` Leon Romanovsky
2021-02-09 16:59 ` Jakub Kicinski
2021-02-09 23:46 ` Arjun Roy
2021-02-10 4:35 ` David Ahern
2021-02-10 19:23 ` Arjun Roy
2021-02-09 6:15 ` Leon Romanovsky
2021-02-09 16:59 ` Jakub Kicinski
2021-02-09 19:01 ` Leon Romanovsky
2021-02-07 17:49 ` David Ahern
2021-02-07 17:53 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af35d535-8d58-3cf3-60e3-1764e409308b@gmail.com \
--to=dsahern@gmail.com \
--cc=arjunroy.kdev@gmail.com \
--cc=arjunroy@google.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=soheil@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.