Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1435212rdb;
        Wed, 24 Jan 2024 15:47:53 -0800 (PST)
X-Google-Smtp-Source: AGHT+IG+OhG091d31AEjc+rQs7DwQ23j6uDqt5E2AKNpgmWYTLkT+dqiyAGvMfF1ZiSOmfNPcdlQ
X-Received: by 2002:a17:903:230c:b0:1d5:b275:30a3 with SMTP id d12-20020a170903230c00b001d5b27530a3mr159172plh.24.1706140073453;
        Wed, 24 Jan 2024 15:47:53 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706140073; cv=pass;
        d=google.com; s=arc-20160816;
        b=nQGDp3kfqhYg8DH+wCVnQhIyCB2cIlfH4CLmpl2gzIN2OJPzsutHt6DoOpnkG5Yp6K
         zN0ebGGC18S8oPdMLb3Fy9ydVDCM9RgXjVsjcMs5lC3l4EC7WHWowptznaK68NdrYTxc
         /b0zwbCSP5UBRTOhsyAokjxrtF4kM6nbO5ay+vyb/BZJYom7tMo/i7LNzblMQJjUcVzS
         9pRn0SCbMaefSrSeGHcxiOytUFlXpqxshkdStVfz8ugVFFdRNrlnSB3IjeD8aZbiD5re
         aXJKc+j8I4RiZokcKyjD/HwtGl2LrHJrwzi5TRv3pVZQDecJd0xrTHtxUv4tmqMfyN5U
         t/Sg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=ui-outboundreport:content-transfer-encoding:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :in-reply-to:message-id:date:subject:cc:to:from;
        bh=FoRb3CjNMY6M5Xaqu9nMysyYX4s/oiufWNZJpWBigdc=;
        fh=IyxZoKqn9NNAryOc2Rb9dYDSjQWWWrd/LSPa0l2Dc8A=;
        b=uHBOwn5NawBUZqVRLhzNdjB7U1iylCYMfrJdmAmiFktIM922wZy4nnly4988wvPlk6
         98KXveKwGPyNafn3GQnXnWSFRrn9UwzdOPK1RQk3C6JfgmdXmeQH/InlwduAEbiaqnaI
         PXaU34VaF1NIX++evCsYojJAAXB5sD8/Tt4mqfHPuceyPtnJlUFYCcRzYcLplMsU6taA
         zgoyLMGyeR5qtE84D2VCVa8mqZhBLzT/OHrhde+ziQ9Zuc8KudoLgogtSxS3mwmpMJC4
         GVlKGrBP0W1dqi6q0sF7vltMOKDc2KwWIOZnd/AI3XlRzm2FSZih5hCK8f5N7RgeAzAt
         xCIg==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=valentinobst.de);
       spf=pass (google.com: domain of linux-kernel+bounces-37806-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37806-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-37806-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id n18-20020a170902d2d200b001d5c0d3f5d1si403332plc.395.2024.01.24.15.47.52
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 24 Jan 2024 15:47:53 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-37806-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=valentinobst.de);
       spf=pass (google.com: domain of linux-kernel+bounces-37806-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37806-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 27632B224B8
	for <linux.lists.archive@gmail.com>; Wed, 24 Jan 2024 23:47:48 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id ABF6C136671;
	Wed, 24 Jan 2024 23:47:36 +0000 (UTC)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4300131E42;
	Wed, 24 Jan 2024 23:47:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.126.131
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706140056; cv=none; b=JIMPwQs8SQY1MSI8SE3K5+AY8q92V5N/DczN1Bk7T2jccb+7QEUP8ipjh0VK4svWXL9DPp1b33mjdNkU0OKUPfBw+aKx2SAi9iJ+/K0V5vCTNl0rL3DheNOjaSIeG1FR32seyEkUOTpUUdxQSyNxXuL3WEaV0IkUQM1r5FPNpaM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706140056; c=relaxed/simple;
	bh=8BwFmfBkB9wXmUfLjqDQQMhqwqpvRuACnFB8ZYgyf7s=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=TUQZDu0vjnwX4zI2fl5ediUHq8ywk4ddJ7IdoteuP6B2TT6BkfAsRHI1vk9wd/QKnwe2JDVvEA21P+WP4PHkf6uSk4MFrmmiYm6Y/GeuyAH9/Vjo4ZqfVwiyKOpp3/LvBfWRfsLyaPnFpu7/6uBvbqAAa2reVyHG0M2C4ZA5j5U=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=valentinobst.de; spf=pass smtp.mailfrom=valentinobst.de; arc=none smtp.client-ip=212.227.126.131
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=valentinobst.de
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=valentinobst.de
Received: from localhost.localdomain ([217.249.70.154]) by
 mrelayeu.kundenserver.de (mreue012 [213.165.67.97]) with ESMTPSA (Nemesis) id
 1N0Ip5-1r87RC0iXf-00xKBP; Thu, 25 Jan 2024 00:47:01 +0100
From: Valentin Obst <kernel@valentinobst.de>
To: aliceryhl@google.com
Cc: a.hindborg@samsung.com,
	akpm@linux-foundation.org,
	alex.gaynor@gmail.com,
	arnd@arndb.de,
	arve@android.com,
	benno.lossin@proton.me,
	bjorn3_gh@protonmail.com,
	boqun.feng@gmail.com,
	brauner@kernel.org,
	cmllamas@google.com,
	gary@garyguo.net,
	gregkh@linuxfoundation.org,
	joel@joelfernandes.org,
	keescook@chromium.org,
	linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	maco@android.com,
	ojeda@kernel.org,
	rust-for-linux@vger.kernel.org,
	surenb@google.com,
	tkjos@android.com,
	viro@zeniv.linux.org.uk,
	wedsonaf@gmail.com,
	Valentin Obst <kernel@valentinobst.de>
Subject: Re: [PATCH 2/3] rust: add typed accessors for userspace pointers
Date: Thu, 25 Jan 2024 00:46:26 +0100
Message-ID: <20240124234626.6435-1-kernel@valentinobst.de>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240124-alice-mm-v1-2-d1abcec83c44@google.com>
References: <20240124-alice-mm-v1-2-d1abcec83c44@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:Gd8dUn8DsdiwfILUeWWL1kxjPxPP600vXTnWpKQGJW/qHXjgV+z
 8+geoeA63GhPacHwaRfW5f5cYPK9k0eLyL4GsVfgq50Sg/prvcA2u4loKRolU58O3fB/iOo
 0lUXnI7FXu1dd8QCOAHYGK4qk3BdCTrdKSDgwjcuDmc5a73VEgPw4mW0NkLt3tP+K7bHWMu
 HLNLlk4KM0cJzgVzCb6yA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:qOJAcrdou2M=;U0Dgh275qiGV8d0f5l3kP4AgC3N
 dpuFzkK8EeFuTRmZguWloob/taf4BCRg73JNxcTRGnFG4IsyfS2xM6mo3g7gdgC7KKmP8O7vr
 jkXsNC3KDKUVoi+h02BFDtui7JFfoKKI8YTrTTltKEhnbxAuQqgker5r+c3XCidZnBkDnlg7g
 yGvWvLR1L92GIQI/mN5/4B7cM3QnPcxtghCuk1hhlHOM3l20AkMLxDyV2CNwN7BakKqeXfCI2
 pozPiK26iUgGPoQROCqk/zvIHlOic2pHM2ZelDfp6vYu4EAdqtA5HmOcN0zKXdGe4+hL5uy+6
 oO5PAE2L2zsj4u6MzGJ6QByl/hvea+C168Xct0g7WK0PIOTAu7NKCdp3KirG6SD+zujeKfkNb
 D6Nzqiq/d5GqDI2daOc/OUEUt0WViyAj5j110/QW77PqQeqqMYWg58I0N1wKMEF5hFp2aa+Xo
 RhQkP0QNkb8wbF6JzGBBnh1lnnq4l3wsYSybG94o3SC6PnakBm8KVWQxUL1YPlxDERETNbzEx
 f3g5QoXIPUwG6sz2F7VcdXtY3MdpKmpfuOLNAEQ208HdNhm3yRboHUuJPNy22cCI9UQhRYgQs
 j1RTR4VTn6ycX/BIo12k7U00Jz1BvNx7Kk6TPd7i/tj3ebHKJiMLo6gPSxJqPpjwSB1QA9dLH
 vvH5TQPGeNFRtZuWDnUhhvl79CPGdoIK3oAOGWp7Y/vO3lgddnWEeMqluQZTOmIiE2agSM0U4
 W7/KPe4f1eEjCPwz1XubXQHBWhrzqPlO3liEQJG1Hyem6JdzypXgzVRxQr+W33bXzaJmir0hg
 uwg5F2ppVt3e+UCKmPyd+rpgXk/zgcA2E4LeIEb21ApdC8fY/lPnn/bBHQrt7f9Ah664pgfku
 ovzjl0zElPtdz8g==

> +/*

nit: this would be the first comment in the kernel crate to use this
style, not sure if there is a rule about that though. Maybe still
preferable to keep it consistent.

> + * These methods skip the `check_object_size` check that `copy_[to|from]_user`
> + * normally performs.

nit: They skip the (stronger, and also present without usercopy
hardening) `check_copy_size` wrapping that one.

>                        In C, these checks are skipped whenever the length is a
> + * compile-time constant, since when that is the case, the kernel pointer
> + * usually points at a local variable that is being initialized

Question: I thought that this exemption is about dynamic size
calculations being more susceptible to bugs than hard-coded ones. Does
someone recall the original rationale for that?

>                                                                  and the kernel
> + * pointer is trivially non-dangling.

As far as I know the hardened usercopy checks are not meant to catch
UAFs but rather about OOB accesses (and some info leaks). For example,
if the object is on the heap they check if the copy size exceeds the
allocation size, or, if the object is on the stack, they verify the copy
size does not leave the stack frame.

> + *
> + * These helpers serve the same purpose in Rust. Whenever the length is known at
> + * compile-time, we call this helper to skip the check.
> + */
> +unsigned long rust_helper_copy_from_user_unsafe_skip_check_object_size(void *to, const void __user *from, unsigned long n)
> +{
> +	unsigned long res;
> +
> +	might_fault();
> +	instrument_copy_from_user_before(to, from, n);
> +	if (should_fail_usercopy())
> +		return n;
> +	res = raw_copy_from_user(to, from, n);
> +	instrument_copy_from_user_after(to, from, n, res);
> +	return res;
> +}
> +EXPORT_SYMBOL_GPL(rust_helper_copy_from_user_unsafe_skip_check_object_size);
> +
> +unsigned long rust_helper_copy_to_user_unsafe_skip_check_object_size(void __user *to, const void *from, unsigned long n)
> +{
> +	might_fault();
> +	if (should_fail_usercopy())
> +		return n;
> +	instrument_copy_to_user(to, from, n);
> +	return raw_copy_to_user(to, from, n);
> +}
> +EXPORT_SYMBOL_GPL(rust_helper_copy_to_user_unsafe_skip_check_object_size);

Could those be wrapping `_copy_[to|from]_user` instead?

	- Valentin