From: yalin wang <yalin.wang2010@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>,
mingo@redhat.com, hpa@zytor.com, x86@kernel.org, bp@suse.de,
open list <linux-kernel@vger.kernel.org>,
Will Deacon <will.deacon@arm.com>
Subject: [x86] copy_from{to}_user question
Date: Wed, 12 Aug 2015 17:01:14 +0800 [thread overview]
Message-ID: <7FD389F5-C677-4439-8082-EB0CAE2814F6@gmail.com> (raw)
hi x86 maintainers,
i have a question about copy_from{to}_user() function,
i find on other platforms like arm/ arm64 /hexagon,
all copy_from{to}_user function only check source address for
copy_from and only check to address for copy_to user function,
never check both source and dest together,
but on x86 platform, i see copy_from{to}_user use a generic function
named copy_user_generic_unrolled() in arch/x86/lib/copy_user_64.S,
it check source and dest address no matter it is copy_from user or
copy_to_user , is it correct?
for copy_from_user i think only need check source address is enough,
if check both address, may hide some kernel BUG, if the kernel address
is not valid, because the fix up code will fix it and kernel will
not panic in this situation.
another problems is that in ./fs/proc/kcore.c ,
read_kcore() function:
if (kern_addr_valid(start)) {
unsigned long n;
n = copy_to_user(buffer, (char *)start, tsz);
/*
¦* We cannot distinguish between fault on source
¦* and fault on destination. When this happens
¦* we clear too and hope it will trigger the
¦* EFAULT again.
¦*/
if (n) {
if (clear_user(buffer + tsz - n,
n))
return -EFAULT;
}
} else {
if (clear_user(buffer, tsz))
return -EFAULT;
}
it relies on copy_to_user() can fault on both user and kernel address,
it is not true on arm / arm64 /hexgon platforms, maybe some other platforms,
i don’t check all platform code.
and this code may result in kernel panic on these platforms.
i think x86’s copy_from{to}_user code need to change like other platforms.
or am i missing something ?
Thanks
next reply other threads:[~2015-08-12 9:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-12 9:01 yalin wang [this message]
2015-08-12 10:07 ` [x86] copy_from{to}_user question Borislav Petkov
2015-08-13 10:04 ` yalin wang
2015-08-13 16:43 ` Borislav Petkov
2015-08-17 3:27 ` yalin wang
2015-08-17 4:16 ` Borislav Petkov
2015-08-20 8:58 ` yalin wang
2015-08-20 18:22 ` H. Peter Anvin
2015-08-21 4:35 ` Borislav Petkov
2015-08-21 21:06 ` H. Peter Anvin
2015-08-22 9:05 ` Borislav Petkov
2015-08-24 7:52 ` yalin wang
2015-08-24 12:05 ` Jeff Epler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7FD389F5-C677-4439-8082-EB0CAE2814F6@gmail.com \
--to=yalin.wang2010@gmail.com \
--cc=bp@suse.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).