linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Arnaldo Carvalho de Melo <acme@conectiva.com.br>
To: Linus Torvalds <torvalds@transmeta.com>,
	Denis Vlasenko <vda@port.imtp.ilyichevsk.odessa.ua>
Cc: Pete Zaitcev <zaitcev@redhat.com>, linux-kernel@vger.kernel.org
Subject: Re: AUDIT: copy_from_user is a deathtrap.
Date: Tue, 21 May 2002 03:21:18 -0300	[thread overview]
Message-ID: <20020521062118.GA13117@conectiva.com.br> (raw)
In-Reply-To: <mailman.1021642692.12772.linux-kernel2news@redhat.com> <200205191212.g4JCCLY25867@Port.imtp.ilyichevsk.odessa.ua> <20020520112232.A8983@devserv.devel.redhat.com> <200205210555.g4L5tfY29889@Port.imtp.ilyichevsk.odessa.ua>

Em Tue, May 21, 2002 at 08:57:28AM -0200, Denis Vlasenko escreveu:
> On 20 May 2002 13:22, you wrote:
> > > Can you tell me what's wrong with copy_from_user? How did you used it
> > > wrongly?
> >
> > Denis, I agree with the essense of Rusty's argument, which is that
> > copy_to_user is easy to misuse in the following way:
> >
> > xxx_ioctl (..., cmd, arg) {
> > 	return copy_to_user(....);
> > }
> >
> > Since copy_to_user returns a number of residue bytes instead of
> > -EINVAL, such statement confuses the caller.
> > Rusty found something about 54 instances of this.
> 
> Oh. Do you think a pair of
> 
> copy_to_user_or_EINVAL(...)
> copy_to_user_return_residue(...)
> 
> will help avoid such bugs?
> It is possible to audit kernel once, move it to new functions
> and deprecate/delete old one.

As Linus and others pointed out, copy_{to_from}_user has its uses and will
stay, but something like:

#define copyin(...) (copy_from_user(...) ? -EFAULT : 0)
#define copyout(...) (copy_to_user(...) ? -EFAULT : 0)

Like several drivers already have (with these names or with other names)
would be something interesting, that way we could clean up the ones that
use this construct and all the others that use the longer
'copy_{to,from}_user(...) ? -EFAULT : 0' construct. If the powers that be
accept this, I'd do the work 8)

Is it *BSD that have copyin/copyout with this semantic? If so it'd even
have an extra bonus to make porting a little bit faster... 8)

- Arnaldo

  reply	other threads:[~2002-05-21  6:22 UTC|newest]

Thread overview: 83+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <mailman.1021642692.12772.linux-kernel2news@redhat.com>
2002-05-17 17:36 ` AUDIT: copy_from_user is a deathtrap Pete Zaitcev
2002-05-18  1:05   ` Rusty Russell
2002-05-18  2:57     ` Alan Cox
2002-05-16 23:27       ` Pavel Machek
     [not found] ` <200205191212.g4JCCLY25867@Port.imtp.ilyichevsk.odessa.ua>
     [not found]   ` <20020520112232.A8983@devserv.devel.redhat.com>
2002-05-21 10:57     ` Denis Vlasenko
2002-05-21  6:21       ` Arnaldo Carvalho de Melo [this message]
2002-05-21  8:33         ` Christoph Hellwig
2002-05-21 19:02           ` Albert D. Cahalan
2002-05-22 14:27         ` Denis Vlasenko
2002-05-22 13:40 Petr Vandrovec
2002-05-22 18:58 ` Denis Vlasenko
2002-05-22 14:13   ` Ruth Ivimey-Cook
  -- strict thread matches above, loose matches on Subject: below --
2002-05-22 10:08 Petr Vandrovec
2002-05-22 16:23 ` Denis Vlasenko
     [not found] <Pine.LNX.4.44.0205191951460.22433-100000@home.transmeta.com.suse.lists.linux.kernel>
     [not found] ` <E179fAd-0005vs-00@wagner.rustcorp.com.au.suse.lists.linux.kernel>
2002-05-20 10:59   ` Andi Kleen
2002-05-19  3:38 Rusty Russell
2002-05-19  5:23 ` Linus Torvalds
2002-05-17  0:00   ` Pavel Machek
2002-05-18 21:47   ` Benjamin Herrenschmidt
2002-05-19 12:22     ` Alan Cox
2002-05-19 18:29     ` Linus Torvalds
2002-05-19 19:57       ` Roman Zippel
2002-05-20  2:06       ` Rusty Russell
2002-05-20  2:54         ` Linus Torvalds
2002-05-20  4:53           ` Rusty Russell
2002-05-19 20:12             ` Arnaldo Carvalho de Melo
2002-05-20 16:00             ` Linus Torvalds
2002-05-19 11:41   ` Alan Cox
     [not found] <E178eMm-0000NO-00@wagner.rustcorp.com.au.suse.lists.linux.kernel>
     [not found] ` <Pine.LNX.4.44.0205171936220.1524-100000@home.transmeta.com.suse.lists.linux.kernel>
2002-05-18 10:16   ` Andi Kleen
2002-05-18 16:14     ` Linus Torvalds
2002-05-19  2:10       ` Rusty Russell
2002-05-19  3:01         ` Linus Torvalds
2002-05-19  3:05           ` Larry McVoy
2002-05-19  4:01             ` Rusty Russell
2002-05-19  4:02               ` Larry McVoy
2002-05-16 23:56                 ` Pavel Machek
2002-05-16 23:56                 ` Pavel Machek
2002-05-19  3:31           ` Rusty Russell
2002-05-19  3:34             ` Linus Torvalds
2002-05-16 23:53               ` Pavel Machek
2002-05-21 20:47                 ` Linus Torvalds
2002-05-21 21:17                   ` Pavel Machek
2002-05-21 21:25                     ` Linus Torvalds
2002-05-21 21:44                     ` Alan Cox
2002-05-21 21:46                       ` Andrew Morton
2002-05-21 22:04                         ` Linus Torvalds
2002-05-21 22:21                           ` Pavel Machek
2002-05-22 13:47                             ` Alan Cox
2002-05-22 14:13                               ` Pavel Machek
2002-05-22 14:54                                 ` Alan Cox
2002-05-22 14:42                                   ` Pavel Machek
2002-05-22 15:27                                     ` Alan Cox
2002-05-22 18:58                                   ` Kasper Dupont
2002-05-22 22:02                                     ` Alan Cox
2002-05-23  3:54                                   ` Rusty Russell
2002-05-23 11:15                                     ` Edgar Toernig
2002-05-22 16:09                                 ` Linus Torvalds
2002-05-22 20:28                                   ` Pavel Machek
2002-05-22  0:47                         ` Andrea Arcangeli
2002-05-22  5:01                         ` Rusty Russell
2002-05-22  6:28                         ` Rusty Russell
2002-05-22  4:57                       ` Rusty Russell
2002-05-22 13:30                         ` Alan Cox
2002-05-22 18:43                     ` Marco Colombo
2002-05-19 20:23       ` Edgar Toernig
2002-05-19 22:44         ` Alan Cox
2002-05-17  9:27 Rusty Russell
2002-05-17  9:21 ` David S. Miller
2002-05-17  9:49   ` Rusty Russell
2002-05-17  9:35     ` David S. Miller
2002-05-17 12:26       ` Rusty Russell
2002-05-17 17:42         ` Denis Vlasenko
2002-05-17 12:17     ` Alan Cox
2002-05-17 12:21       ` Rusty Russell
2002-05-17 12:58         ` Alan Cox
2002-05-17 12:58           ` Rusty Russell
2002-05-17 13:13             ` John Levon
2002-05-17 14:52             ` Alan Cox
2002-05-18  1:26               ` Rusty Russell
2002-05-17 17:58             ` Denis Vlasenko
2002-05-18  2:37     ` Linus Torvalds
2002-05-18 15:06       ` John Alvord
2002-05-17 10:20 ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020521062118.GA13117@conectiva.com.br \
    --to=acme@conectiva.com.br \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@transmeta.com \
    --cc=vda@port.imtp.ilyichevsk.odessa.ua \
    --cc=zaitcev@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).