From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
To: David Laight <David.Laight@ACULAB.COM>
Cc: Jinyang He <hejinyang@loongson.cn>,
Tiezhu Yang <yangtiezhu@loongson.cn>,
"linux-mips@vger.kernel.org" <linux-mips@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] MIPS: Fix strnlen_user access check
Date: Tue, 13 Apr 2021 17:19:09 +0200 [thread overview]
Message-ID: <20210413151909.GA13549@alpha.franken.de> (raw)
In-Reply-To: <069e524dbad2412f9e74fd234f40fff5@AcuMS.aculab.com>
On Tue, Apr 13, 2021 at 12:37:25PM +0000, David Laight wrote:
> From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> > Sent: 13 April 2021 12:15
> ...
> > > The __access_ok() is noted with `Ensure that the range [addr, addr+size)
> > > is within the process's address space`. Does the range checked by
> > > __access_ok() on MIPS is [addr, addr+size]. So if we want to use
> > > access_ok(s, 1), should we modify __access_ok()? Or my misunderstanding?
> >
> > you are right, I'm going to apply
> >
> > https://patchwork.kernel.org/project/linux-mips/patch/20190209194718.1294-1-paul.burton@mips.com/
> >
> > to fix that.
>
> Isn't that still wrong?
> If an application does:
> write(fd, (void *)0xffff0000, 0);
> it should return 0, not -1 and EFAULT/SIGSEGV.
WRITE(2) Linux Programmer's Manual WRITE(2)
[...]
If count is zero and fd refers to a regular file, then write() may
return a failure status if one of the errors below is detected. If no
errors are detected, or error detection is not performed, 0 will be
returned without causing any other effect. If count is zero and fd
refers to a file other than a regular file, the results are not speci-
fied.
[...]
EFAULT buf is outside your accessible address space.
at least it's covered by the man page on my Linux system.
> There is also the question about why this makes any difference
> to the original problem of logging in via the graphical interface.
kernel/module.c: mod->args = strndup_user(uargs, ~0UL >> 1);
and strndup_user does a strnlen_user.
> ISTM that it is very unlikely that the length passed to strnlen_user()
> is long enough to take potential buffer beyond the end of user
> address space.
see above.
Thomas.
--
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea. [ RFC1925, 2.3 ]
next prev parent reply other threads:[~2021-04-13 15:22 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-11 11:04 [PATCH] MIPS: Fix strnlen_user access check Jinyang He
2021-04-12 3:02 ` Tiezhu Yang
2021-04-12 6:06 ` Jinyang He
2021-04-12 7:08 ` Tiezhu Yang
2021-04-12 14:27 ` Thomas Bogendoerfer
2021-04-13 1:15 ` Jinyang He
2021-04-13 8:34 ` David Laight
2021-04-13 11:14 ` Thomas Bogendoerfer
2021-04-13 12:37 ` David Laight
2021-04-13 15:19 ` Thomas Bogendoerfer [this message]
2021-04-13 16:01 ` David Laight
2021-04-14 7:59 ` Thomas Bogendoerfer
2021-04-12 13:47 ` Jinyang He
2021-04-15 21:26 Thomas Bogendoerfer
2021-04-16 7:22 ` Thomas Bogendoerfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210413151909.GA13549@alpha.franken.de \
--to=tsbogend@alpha.franken.de \
--cc=David.Laight@ACULAB.COM \
--cc=hejinyang@loongson.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=yangtiezhu@loongson.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).