From: Linus Torvalds <torvalds@linux-foundation.org>
To: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
Khalid Aziz <khalid.aziz@oracle.com>,
Andrey Konovalov <andreyknvl@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Christian Brauner <christian.brauner@ubuntu.com>,
Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@kernel.org>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-snps-arc@lists.infradead.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>
Subject: Re: [RFC 1/4] asm-generic/uaccess: don't define inline functions if noinline lib/* in use
Date: Tue, 14 Jan 2020 13:32:50 -0800 [thread overview]
Message-ID: <CAHk-=wjChjfOaDnGygOJpC36R6mtT7=Xf6wWTzD_wLJm=quu0Q@mail.gmail.com> (raw)
In-Reply-To: <20200114200846.29434-2-vgupta@synopsys.com>
On Tue, Jan 14, 2020 at 12:09 PM Vineet Gupta
<Vineet.Gupta1@synopsys.com> wrote:
>
> There are 2 generic varaints of strncpy_from_user() / strnlen_user()
> (1). inline version in asm-generic/uaccess.h
I think we should get rid of this entirely. It's just a buggy garbage
implementation that nobody should ever actually use.
It does just about everything wrong that you *can* do, wrong,
including doing the NUL-filling termination of standard strncpy() that
"strncpy_from_user()" doesn't actually do.
So:
- the asm-generic/uaccess.h __strncpy_from_user() function is just
horribly wrong
- the generic/uaccess.h version of strncpy_from_user() shouldn't be
an inline function either, since the only thing it can do inline is
the bogus one-byte access check that _barely_ makes security work (you
also need to have a guard page to _actually_ make it work, and I'm not
atr all convinced that people do).
the whole thing is just broken and should be removed from a header file.
> (2). optimized word-at-a-time version in lib/*
That is - outside of the original x86 strncpy_from_user() - the only
copy of this function that historically gets all the corner cases
right. And even those we've gotten wrong occasionally.
I would suggest that anybody who uses asm-generic/uaccess.h needs to
simply use the generic library version.
Linus
WARNING: multiple messages have this Message-ID (diff)
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Cc: linux-arch <linux-arch@vger.kernel.org>,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
Peter Zijlstra <peterz@infradead.org>,
Andrey Konovalov <andreyknvl@google.com>,
Aleksa Sarai <cyphar@cyphar.com>, Ingo Molnar <mingo@kernel.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-snps-arc@lists.infradead.org,
Andrew Morton <akpm@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC 1/4] asm-generic/uaccess: don't define inline functions if noinline lib/* in use
Date: Tue, 14 Jan 2020 13:32:50 -0800 [thread overview]
Message-ID: <CAHk-=wjChjfOaDnGygOJpC36R6mtT7=Xf6wWTzD_wLJm=quu0Q@mail.gmail.com> (raw)
In-Reply-To: <20200114200846.29434-2-vgupta@synopsys.com>
On Tue, Jan 14, 2020 at 12:09 PM Vineet Gupta
<Vineet.Gupta1@synopsys.com> wrote:
>
> There are 2 generic varaints of strncpy_from_user() / strnlen_user()
> (1). inline version in asm-generic/uaccess.h
I think we should get rid of this entirely. It's just a buggy garbage
implementation that nobody should ever actually use.
It does just about everything wrong that you *can* do, wrong,
including doing the NUL-filling termination of standard strncpy() that
"strncpy_from_user()" doesn't actually do.
So:
- the asm-generic/uaccess.h __strncpy_from_user() function is just
horribly wrong
- the generic/uaccess.h version of strncpy_from_user() shouldn't be
an inline function either, since the only thing it can do inline is
the bogus one-byte access check that _barely_ makes security work (you
also need to have a guard page to _actually_ make it work, and I'm not
atr all convinced that people do).
the whole thing is just broken and should be removed from a header file.
> (2). optimized word-at-a-time version in lib/*
That is - outside of the original x86 strncpy_from_user() - the only
copy of this function that historically gets all the corner cases
right. And even those we've gotten wrong occasionally.
I would suggest that anybody who uses asm-generic/uaccess.h needs to
simply use the generic library version.
Linus
_______________________________________________
linux-snps-arc mailing list
linux-snps-arc@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-snps-arc
next prev parent reply other threads:[~2020-01-14 21:33 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 20:08 [RFC 0/4] Switching ARC to optimized generic strncpy_from_user Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:08 ` [RFC 1/4] asm-generic/uaccess: don't define inline functions if noinline lib/* in use Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:57 ` Arnd Bergmann
2020-01-14 20:57 ` Arnd Bergmann
2020-01-14 20:57 ` Arnd Bergmann
2020-01-15 23:01 ` Vineet Gupta
2020-01-15 23:01 ` Vineet Gupta
2020-01-15 23:01 ` Vineet Gupta
2020-01-16 11:43 ` Arnd Bergmann
2020-01-16 11:43 ` Arnd Bergmann
2020-01-16 11:43 ` Arnd Bergmann
2020-01-14 21:32 ` Linus Torvalds [this message]
2020-01-14 21:32 ` Linus Torvalds
2020-01-15 9:08 ` Arnd Bergmann
2020-01-15 9:08 ` Arnd Bergmann
2020-01-15 9:08 ` Arnd Bergmann
2020-01-15 14:12 ` Al Viro
2020-01-15 14:12 ` Al Viro
2020-01-15 14:12 ` Al Viro
2020-01-15 14:21 ` Arnd Bergmann
2020-01-15 14:21 ` Arnd Bergmann
2020-01-15 14:21 ` Arnd Bergmann
2020-01-14 20:08 ` [RFC 2/4] lib/strncpy_from_user: Remove redundant user space pointer range check Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 21:22 ` Linus Torvalds
2020-01-14 21:22 ` Linus Torvalds
2020-01-14 21:52 ` Vineet Gupta
2020-01-14 21:52 ` Vineet Gupta
2020-01-14 21:52 ` Vineet Gupta
2020-01-14 23:46 ` Al Viro
2020-01-14 23:46 ` Al Viro
2020-01-15 14:42 ` Andrey Konovalov
2020-01-15 14:42 ` Andrey Konovalov
2020-01-15 14:42 ` Andrey Konovalov
2020-01-15 23:00 ` Vineet Gupta
2020-01-15 23:00 ` Vineet Gupta
2020-01-15 23:00 ` Vineet Gupta
2020-01-14 20:08 ` [RFC 3/4] ARC: uaccess: remove noinline variants of __strncpy_from_user() and friends Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:08 ` [RFC 4/4] ARC: uaccess: use optimized generic __strnlen_user/__strncpy_from_user Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:42 ` Arnd Bergmann
2020-01-14 20:42 ` Arnd Bergmann
2020-01-14 20:42 ` Arnd Bergmann
2020-01-14 21:36 ` Vineet Gupta
2020-01-14 21:36 ` Vineet Gupta
2020-01-14 21:36 ` Vineet Gupta
2020-01-14 21:49 ` Linus Torvalds
2020-01-14 21:49 ` Linus Torvalds
2020-01-14 21:49 ` Linus Torvalds
2020-01-14 22:14 ` Vineet Gupta
2020-01-14 22:14 ` Vineet Gupta
2020-01-14 22:14 ` Vineet Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wjChjfOaDnGygOJpC36R6mtT7=Xf6wWTzD_wLJm=quu0Q@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=Vineet.Gupta1@synopsys.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=arnd@arndb.de \
--cc=christian.brauner@ubuntu.com \
--cc=cyphar@cyphar.com \
--cc=keescook@chromium.org \
--cc=khalid.aziz@oracle.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.