Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2931904pxb;
        Tue, 13 Apr 2021 14:02:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxl4byO49sGdG3LPMewkSwb30uIgJAhq48gRn+MzUTrKnbqmlIrG6sIjupyNMC4VJP6WSvD
X-Received: by 2002:a63:40c1:: with SMTP id n184mr3195741pga.219.1618347731195;
        Tue, 13 Apr 2021 14:02:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618347731; cv=none;
        d=google.com; s=arc-20160816;
        b=oTYSRq71tphphTqr8Oib5nAtQfgvY8ZMMNiKdvWXHPoo+dDG3E4rOxPNwEVdJnaOKn
         sLoWMkhMv5MPTqj+PMuPWkFnYx2oheEJ+Dgyj69xucQ60tz1G2+iAjN0cZkdM+2PENHo
         /g6SG/JN1H4wJLQQyEMcgduYiTMdmlKKvoK+Rc2hhal3bBaDIU196tROwwggwqPwBre7
         nlCmP3QFgI0i8rzFVnM5EOnBZxnHu03Ch+yLJjpsxc23QtsaYaSxeYS81iLA/ahhAtb1
         LqxYJBMJFLtnDp8xR86BkUsm0ANawRNnoireZzlmQwjc1En1WTABjaX/c9KTCeZ1vtrk
         tQ3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=GKWR0kpJHaMEnPt4LQeCb5NNilRwRYMHt/LZ75ahrg0=;
        b=cfoPVkxtRI6cFRMr2ax/oY8Jl69NuZMrEYWeLg5na6ToG27gEmveJNwXcwAEanFrFe
         ekmII4mprXAEe3H9HFVVrYELYn3gljSO2xsdsRbIs7DAnjohyZk3Si6jnh/LPTt35Qx5
         qEF3j1NKgs4Rv3bCXBydEWi6xO7+Jv/s7qBu2dqnmX+5RZCttgZh3rFgvpgiKmdgYZIj
         cjtY/xffvj1o0y641uFtqs9rPTc+n0rW2vWnuy+Hs6hoFI4qvAR5UPfSkhN8ecg8z2jv
         h2bF9CQ0dtxymooHe6rHZ5darWx7vTUKJtsxyyn7S5bADjTZ7d5ZSUuR5bjqORgE+cPZ
         xlIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id cx16si3952798pjb.128.2021.04.13.14.01.59;
        Tue, 13 Apr 2021 14:02:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346584AbhDMPWZ (ORCPT <rfc822;linux.s.jambekar@gmail.com>
        + 99 others); Tue, 13 Apr 2021 11:22:25 -0400
Received: from elvis.franken.de ([193.175.24.41]:48136 "EHLO elvis.franken.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231485AbhDMPWZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Apr 2021 11:22:25 -0400
Received: from uucp (helo=alpha)
        by elvis.franken.de with local-bsmtp (Exim 3.36 #1)
        id 1lWKrc-00025U-00; Tue, 13 Apr 2021 17:22:04 +0200
Received: by alpha.franken.de (Postfix, from userid 1000)
        id E2FBBC02F4; Tue, 13 Apr 2021 17:19:09 +0200 (CEST)
Date:   Tue, 13 Apr 2021 17:19:09 +0200
From:   Thomas Bogendoerfer <tsbogend@alpha.franken.de>
To:     David Laight <David.Laight@ACULAB.COM>
Cc:     Jinyang He <hejinyang@loongson.cn>,
        Tiezhu Yang <yangtiezhu@loongson.cn>,
        "linux-mips@vger.kernel.org" <linux-mips@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] MIPS: Fix strnlen_user access check
Message-ID: <20210413151909.GA13549@alpha.franken.de>
References: <1618139092-4018-1-git-send-email-hejinyang@loongson.cn>
 <cbe5e79b-ee6c-5c59-0051-28e4d1152666@loongson.cn>
 <20210412142730.GA23146@alpha.franken.de>
 <2fd31420-1f96-9165-23ea-fdccac1b522a@loongson.cn>
 <20210413111438.GA9472@alpha.franken.de>
 <069e524dbad2412f9e74fd234f40fff5@AcuMS.aculab.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <069e524dbad2412f9e74fd234f40fff5@AcuMS.aculab.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 13, 2021 at 12:37:25PM +0000, David Laight wrote:
> From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> > Sent: 13 April 2021 12:15
> ...
> > > The __access_ok() is noted with `Ensure that the range [addr, addr+size)
> > > is within the process's address space`. Does the range checked by
> > > __access_ok() on MIPS is [addr, addr+size]. So if we want to use
> > > access_ok(s, 1), should we modify __access_ok()? Or my misunderstanding?
> > 
> > you are right, I'm going to apply
> > 
> > https://patchwork.kernel.org/project/linux-mips/patch/20190209194718.1294-1-paul.burton@mips.com/
> > 
> > to fix that.
> 
> Isn't that still wrong?
> If an application does:
> 	write(fd, (void *)0xffff0000, 0);
> it should return 0, not -1 and EFAULT/SIGSEGV.

WRITE(2)                   Linux Programmer's Manual                  WRITE(2)
[...]
       If  count  is  zero  and  fd refers to a regular file, then write() may
       return a failure status if one of the errors below is detected.  If  no
       errors  are  detected,  or  error detection is not performed, 0 will be
       returned without causing any other effect.  If count  is  zero  and  fd
       refers  to a file other than a regular file, the results are not speci-
       fied.
[...]
       EFAULT buf is outside your accessible address space.

at least it's covered by the man page on my Linux system.

> There is also the question about why this makes any difference
> to the original problem of logging in via the graphical interface.

kernel/module.c:        mod->args = strndup_user(uargs, ~0UL >> 1);

and strndup_user does a strnlen_user.

> ISTM that it is very unlikely that the length passed to strnlen_user()
> is long enough to take potential buffer beyond the end of user
> address space.

see above.

Thomas.

-- 
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea.                                                [ RFC1925, 2.3 ]