Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4584450pxb; Sun, 14 Feb 2021 16:19:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJzfvH6qGBSSmc4LuffWQXi890TCW6Nc3y/yHsjLh0cdaHz/ZVKXONTTeC9Og9izFD617keI X-Received: by 2002:a17:906:c1d9:: with SMTP id bw25mr13088194ejb.452.1613348393139; Sun, 14 Feb 2021 16:19:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613348393; cv=none; d=google.com; s=arc-20160816; b=xFXAC3XS5fTfOfM792aLB4eD8nMQnx2v0zE4JKJCMOu/UnIOSk09V1v0gRcg4Y05EQ FHBowQOEdQH27wZu24S1BUPZjw9UerJKzzwRX4kJRw25yyRteamp6sOCNNR5xFkv/IZc Z6QYyPZWklJqdCPZz1VFougMkczOs67CJZIQNBhSqfSYqVeJLFtpEN9pgTQRXy6Hrgp7 o+A341FRePvFeFGllrSTReDH3/L7bhfWhQ19Df03lFSnl4sQQejbQyYYga0goPhTFx3u HV98pcQErNdJuwQ/nS6OIlbqkKaB4+tLoxgxfchuG9WcNdSTmq981/4jFRGTy38wBexH efWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=EfkZlqWmUQRaAFvJWL4vKoP5WeUHBJ9fqOVgIxOROw0=; b=j12olEijM0kjwnl/xz2tvS/CQVXgW74DhpWef7M3vvczj3V3WQ5rkohcr2sVP5zScy 9q9KYSnWgNoiH4RYDMT5d3qptdZ/IFcfOZ56dWsNWJyyJlkhNx2iCqj91SZaTm8DA0eR Nmf94mrMN/or7xEtrk483eG0RKULIpmsX+oXDw15kWFKJ0ZifYemhuVrUINx4GrMtQoC 22zus9CjdwbfsS5fIW47v4ZvCMrR0eN2pb4SMylclONEiNaAwm3t+FC8mAM37HY7KB3q F/JYqvhue8ceY8AVBMpIdMU7SxusmSeAb5zQuBNLHy66IYgmXn52J+bG6/Xnksjw/U6X fdHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cd8si10795292ejb.152.2021.02.14.16.19.07; Sun, 14 Feb 2021 16:19:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229994AbhBNXvH (ORCPT + 99 others); Sun, 14 Feb 2021 18:51:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229792AbhBNXvH (ORCPT ); Sun, 14 Feb 2021 18:51:07 -0500 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D2A9EC061574; Sun, 14 Feb 2021 15:50:26 -0800 (PST) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux)) id 1lBR9Y-00E3Yp-VE; Sun, 14 Feb 2021 23:50:13 +0000 Date: Sun, 14 Feb 2021 23:50:12 +0000 From: Al Viro To: Ben Widawsky Cc: linux-cxl@vger.kernel.org, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, linux-pci@vger.kernel.org, Bjorn Helgaas , Chris Browy , Christoph Hellwig , Dan Williams , David Hildenbrand , David Rientjes , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , "John Groves (jgroves)" , "Kelley, Sean V" , kernel test robot , Dan Williams Subject: Re: [PATCH v2 4/8] cxl/mem: Add basic IOCTL interface Message-ID: References: <20210210000259.635748-1-ben.widawsky@intel.com> <20210210000259.635748-5-ben.widawsky@intel.com> <20210214231456.xnwitliczv6qwmjv@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210214231456.xnwitliczv6qwmjv@intel.com> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Feb 14, 2021 at 03:14:56PM -0800, Ben Widawsky wrote: > On 21-02-14 16:30:09, Al Viro wrote: > > On Tue, Feb 09, 2021 at 04:02:55PM -0800, Ben Widawsky wrote: > > > > > +static int handle_mailbox_cmd_from_user(struct cxl_memdev *cxlmd, > > > + const struct cxl_mem_command *cmd, > > > + u64 in_payload, u64 out_payload, > > > + struct cxl_send_command __user *s) > > > +{ > > > + struct cxl_mem *cxlm = cxlmd->cxlm; > > > + struct device *dev = &cxlmd->dev; > > > + struct mbox_cmd mbox_cmd = { > > > + .opcode = cmd->opcode, > > > + .size_in = cmd->info.size_in, > > > + }; > > > + s32 user_size_out; > > > + int rc; > > > + > > > + if (get_user(user_size_out, &s->out.size)) > > > + return -EFAULT; > > > > You have already copied it in. Never reread stuff from userland - it *can* > > change under you. > > As it turns out, this is some leftover logic which doesn't need to exist at all, > and I'm happy to change it. Thanks for reviewing. > > I wasn't familiar with this restriction though. For my edification could you > explain how that could happen? Also, is this something that should go in the > kdocs, because I don't see anything about this restriction there. Er... You do realize that if two processes share memory, one can bloody well modify it while another is in the middle of syscall, right? Always could - even mmap(2) with MAP_SHARED is sufficient, same as shmat(2), or the wholesale sharing between POSIX threads, etc. And even on UP with no preemption you could bloody well have a structure that spans a page boundary, with the next page being mmapped and currently not present in memory. Then copy_from_user() would've copied the beginning, hit a page fault, try to read the next page from something slow and lose CPU. Letting the second process run and modify the already copied part. It has been possible since at least mid-80s, well before Linux. Anything in user memory can change under you, right in the middle of syscall. Always could. And there had been very real bugs along the lines of data being read twice, once for safety check, once for actual work. Something like get_user(len, &user_object->len); check that len is reasonable p = kmalloc(offsetof(struct foo, string[len]), GFP_KERNEL); copy_from_user(p, user_object, len); work with the copy, assuming that first p->len bytes of p->string[] are safe to use, find out that p->len is much greater than len since the userland data has changed between two fetches Some of those had been exploitable from the very beginning, some had become such on innocious-looking changes. For the sake of your sanity it's better to avoid such landmines. In some cases it's OK to read the data twice (e.g. in something like select(2)), but those cases are rare and seeing something of that sort is generally a big red flag on review. In almost all cases it's best avoided.