[-- Attachment #1.1.1: Type: text/plain, Size: 803 bytes --] Hi, In the following example from net/dccp/proto.c the pointer given put_user() is casted to (int __user *) although the value to copy is a unsigned long. Is this (correctness and security wise) sane? Because as I understand it put_user() determines the amount it copies from the pointer type. ``` unsigned long amount = 0; skb = skb_peek(&sk->sk_receive_queue); if (skb != NULL) { amount = skb->len; } rc = put_user(amount, (int __user *)arg); ``` Also skb->len is an unsigned int realisticly in most cases < 9000 (and in all cases I can imagine < int_max (with 16 bit)). I would like to declare amount as int outside of the switch case statement (because I need it in another case statement as signed int) would it be safe to do so? Thanks, -- Richard [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[-- Attachment #1.1.1: Type: text/plain, Size: 94 bytes --] Link to full source: https://elixir.bootlin.com/linux/latest/source/net/dccp/proto.c#L390 [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 337 bytes --] On Fri, 17 Jul 2020 02:13:34 +0200, Richard Sailer said: > unsigned long. Is this (correctness and security wise) sane? Because as > I understand it put_user() determines the amount it copies from the > pointer type. > rc = put_user(amount, (int __user *)arg); If that were true, you wouldn't need to pass the 'amount' variable.... [-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[-- Attachment #1.1.1: Type: text/plain, Size: 1272 bytes --] On 18/07/2020 00:46, Valdis Klētnieks wrote: > On Fri, 17 Jul 2020 02:13:34 +0200, Richard Sailer said: > >> unsigned long. Is this (correctness and security wise) sane? Because as >> I understand it put_user() determines the amount it copies from the >> pointer type. > >> rc = put_user(amount, (int __user *)arg); > > If that were true, you wouldn't need to pass the 'amount' variable.... > Hmm, that would make no sense to me. arg is a pointer to user space memory, put_user would still need the value to copy to that memory. And my understanding of put_user() comes from its definition in uaccess.h: #define put_user(x, ptr) \ ({ \ int __ret_pu; \ __typeof__(*(ptr)) __pu_val; \ __chk_user_ptr(ptr); \ might_fault(); \ __pu_val = x; \ switch (sizeof(*(ptr))) { \ case 1: \ __put_user_x(1, __pu_val, ptr, __ret_pu); \ break; \ case 2: \ __put_user_x(2, __pu_val, ptr, __ret_pu); \ break; \ case 4: \ __put_user_x(4, __pu_val, ptr, __ret_pu); \ break; \ case 8: \ __put_user_x8(__pu_val, ptr, __ret_pu); \ break; \ [...] But please tell me if I got anything wrong here, I'm still not 100% sure -- Richard [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[-- Attachment #1.1: Type: text/plain, Size: 422 bytes --] On Sun, 19 Jul 2020 14:15:36 +0200, Richard Sailer said: > > If that were true, you wouldn't need to pass the 'amount' variable.... > > > Hmm, that would make no sense to me. arg is a pointer to user space > memory, put_user would still need the value to copy to that memory. -ENOCAFFEINE. :) I was thinking copy_(to/from)_user, not get/put. I will now depart for the grocery store and obtain a supply of caffeine :) [-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --] [-- Attachment #2: Type: text/plain, Size: 170 bytes --] _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies