Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A694C636CC for ; Tue, 7 Feb 2023 09:13:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231158AbjBGJNv (ORCPT ); Tue, 7 Feb 2023 04:13:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230361AbjBGJNs (ORCPT ); Tue, 7 Feb 2023 04:13:48 -0500 X-Greylist: delayed 446 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 07 Feb 2023 01:13:45 PST Received: from ouvsmtp1.octopuce.fr (ouvsmtp1.octopuce.fr [194.36.166.50]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED00F18B15; Tue, 7 Feb 2023 01:13:45 -0800 (PST) Received: from panel.vitry.ouvaton.coop (unknown [194.36.166.20]) by ouvsmtp1.octopuce.fr (Postfix) with ESMTPS id 9366B1DC; Tue, 7 Feb 2023 10:06:16 +0100 (CET) Received: from [192.168.1.18] (lfbn-idf2-1-1024-123.w86-238.abo.wanadoo.fr [86.238.255.123]) by panel.vitry.ouvaton.coop (Postfix) with ESMTPSA id B6FD15E204B; Tue, 7 Feb 2023 10:06:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ouvaton.org; s=default; t=1675760776; bh=YX0gNKJmv7B0U2PNuC8epDN4OrK4OL3H/or53nn8tMo=; l=1246; h=Subject:To:From; b=Woy/6i0vuWfkj+rwRaV0Dy58emaOmJ6FHz7/scGmMSQmhen0COQMvdlBxHpGBpksH D4slGo59errcnxtR6htO5A8Goc2MsxFLAUapuHll5BsqAR0jTwvcDQ4eHDRK0YDBKQ 7s0m28Pv8yjA6A0di69TWMAX6g9q9+IueVowqOc8= Message-ID: <9f549c7b-bc72-8037-abfc-fe2f146ff82c@ouvaton.org> Date: Tue, 7 Feb 2023 10:06:14 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Subject: Re: [PATCH] uaccess: Add minimum bounds check on kernel buffer size Content-Language: fr-FR, en-US, en-GB To: Geert Uytterhoeven , Arnd Bergmann Cc: Kees Cook , Aleksa Sarai , Christian Brauner , Rasmus Villemoes , Dinh Nguyen , Catalin Marinas , Andrew Morton , Alexander Potapenko , Christian Brauner , Stafford Horne , Alexander Viro , Christophe Leroy , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org References: <20230203193523.never.667-kees@kernel.org> <6c728dfc-d777-4beb-b463-649704c81a5e@app.fastmail.com> From: Yann Droneaud In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Le 06/02/2023 à 21:03, Geert Uytterhoeven a écrit : > Hi Arnd, > > On Fri, Feb 3, 2023 at 10:23 PM Arnd Bergmann wrote: >> On Fri, Feb 3, 2023, at 20:35, Kees Cook wrote: >>> --- a/include/linux/uaccess.h >>> +++ b/include/linux/uaccess.h >>> @@ -329,6 +329,10 @@ copy_struct_from_user(void *dst, size_t ksize, >>> const void __user *src, >>> size_t size = min(ksize, usize); >>> size_t rest = max(ksize, usize) - size; >>> >>> + /* Double check if ksize is larger than a known object size. */ >>> + if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1))) >>> + return -E2BIG; >>> + >> WARN_ON_ONCE() may be a little expensive since that adds two >> comparisons and a static variable to each copy, but it's probably >> fine. > When seeing this, I was a bit worried about the size increase. > Hence I gave it a try on atari_defconfig and ran bloat-o-meter. > Surprisingly, there was no size increase at all, as all checks > were optimized away. > > Hence perhaps this can become a compile-time check? It should be a compile-time check, because one would not want __builtin_object_size(dst, 1) to return -1 if dst' size is not known at compile-time. Regards. -- Yann Droneaud OPTEYA