Received-SPF: pass (google.com: domain of linux-kernel+bounces-132107-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Date: Thu, 04 Apr 2024 20:40:20 +0000
To: Alice Ryhl <aliceryhl@google.com>, Miguel Ojeda <ojeda@kernel.org>, Matthew Wilcox <willy@infradead.org>, Al Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Kees Cook <keescook@chromium.org>
From: Benno Lossin <benno.lossin@proton.me>
Cc: Alex Gaynor <alex.gaynor@gmail.com>, Wedson Almeida Filho <wedsonaf@gmail.com>, Boqun Feng <boqun.feng@gmail.com>, Gary Guo <gary@garyguo.net>, =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>, Andreas Hindborg <a.hindborg@samsung.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, =?utf-8?Q?Arve_Hj=C3=B8nnev=C3=A5g?= <arve@android.com>, Todd Kjos <tkjos@android.com>, Martijn Coenen <maco@android.com>, Joel Fernandes <joel@joelfernandes.org>, Carlos Llamas <cmllamas@google.com>, Suren Baghdasaryan <surenb@google.com>, Arnd Bergmann <arnd@arndb.de>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Christian Brauner <brauner@kernel.org>
Subject: Re: [PATCH v4 1/4] rust: uaccess: add userspace pointers
Message-ID: <d0558622-c287-4efd-8ed9-0b2cf15d7c1a@proton.me>
In-Reply-To: <20240404-alice-mm-v4-1-49a84242cf02@google.com>
References: <20240404-alice-mm-v4-0-49a84242cf02@google.com> <20240404-alice-mm-v4-1-49a84242cf02@google.com>
Feedback-ID: 71780778:user:proton
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 04.04.24 14:31, Alice Ryhl wrote:
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> new file mode 100644
> index 000000000000..3f8ad4dc13c4
> --- /dev/null
> +++ b/rust/kernel/uaccess.rs
> @@ -0,0 +1,311 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Slices to user space memory regions.
> +//!
> +//! C header: [`include/linux/uaccess.h`](srctree/include/linux/uaccess.=
h)
> +
> +use crate::{bindings, error::code::*, error::Result};
> +use alloc::vec::Vec;
> +use core::ffi::{c_ulong, c_void};
> +use core::mem::MaybeUninit;
> +
> +/// A pointer to an area in userspace memory, which can be either read-o=
nly or
> +/// read-write.
> +///
> +/// All methods on this struct are safe: attempting to read or write on =
bad
> +/// addresses (either out of the bound of the slice or unmapped addresse=
s) will
> +/// return `EFAULT`. Concurrent access, *including data races to/from us=
erspace
> +/// memory*, is permitted, because fundamentally another userspace
> +/// thread/process could always be modifying memory at the same time (in=
 the
> +/// same way that userspace Rust's [`std::io`] permits data races with t=
he
> +/// contents of files on disk). In the presence of a race, the exact byt=
e values
> +/// read/written are unspecified but the operation is well-defined. Kern=
elspace
> +/// code should validate its copy of data after completing a read, and n=
ot
> +/// expect that multiple reads of the same address will return the same =
value.
> +///
> +/// These APIs are designed to make it difficult to accidentally write T=
OCTOU
> +/// (time-of-check to time-of-use) bugs. Every time a memory location is=
 read,
> +/// the reader's position is advanced by the read length and the next re=
ad will
> +/// start from there. This helps prevent accidentally reading the same l=
ocation
> +/// twice and causing a TOCTOU bug.
> +///
> +/// Creating a [`UserSliceReader`] and/or [`UserSliceWriter`] consumes t=
he
> +/// `UserSlice`, helping ensure that there aren't multiple readers or wr=
iters to
> +/// the same location.
> +///
> +/// If double-fetching a memory location is necessary for some reason, t=
hen that
> +/// is done by creating multiple readers to the same memory location, e.=
g. using
> +/// [`clone_reader`].

I think we should have consistent 100 column formatting. And not
something less.

> +///
> +/// # Examples

[...]

> +    /// Reads raw data from the user slice into a kernel buffer.
> +    ///
> +    /// Fails with `EFAULT` if the read happens on a bad address.
> +    pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
> +        let len =3D out.len();
> +        let out_ptr =3D out.as_mut_ptr().cast::<c_void>();
> +        if len > self.length {
> +            return Err(EFAULT);
> +        }
> +        let Ok(len_ulong) =3D c_ulong::try_from(len) else {
> +            return Err(EFAULT);
> +        };
> +        // SAFETY: The caller promises that `out` is valid for writing `=
len` bytes.

This comment needs updating.

> +        let res =3D unsafe { bindings::copy_from_user(out_ptr, self.ptr,=
 len_ulong) };
> +        if res !=3D 0 {
> +            return Err(EFAULT);
> +        }
> +        // Userspace pointers are not directly dereferencable by the ker=
nel, so
> +        // we cannot use `add`, which has C-style rules for defined beha=
vior.
> +        self.ptr =3D self.ptr.wrapping_byte_add(len);
> +        self.length -=3D len;
> +        Ok(())
> +    }
> +
> +    /// Reads raw data from the user slice into a kernel buffer.
> +    ///
> +    /// Fails with `EFAULT` if the read happens on a bad address.
> +    pub fn read_slice(&mut self, out: &mut [u8]) -> Result {
> +        // SAFETY: The types are compatible and `read_raw` doesn't write
> +        // uninitialized bytes to `out`.

Can you add this as a guarantee to `read_raw`?

> +        let out =3D unsafe { &mut *(out as *mut [u8] as *mut [MaybeUnini=
t<u8>]) };
> +        self.read_raw(out)
> +    }
> +
> +    /// Reads the entirety of the user slice, appending it to the end of=
 the
> +    /// provided buffer.
> +    ///
> +    /// Fails with `EFAULT` if the read happens on a bad address.
> +    pub fn read_all(mut self, buf: &mut Vec<u8>) -> Result {
> +        let len =3D self.length;
> +        buf.try_reserve(len)?;
> +
> +        // The call to `try_reserve` was successful, so the spare capaci=
ty is at
> +        // least `len` bytes long.
> +        self.read_raw(&mut buf.spare_capacity_mut()[..len])?;
> +
> +        // SAFETY: Since the call to `read_raw` was successful, so the n=
ext
> +        // `len` bytes of the vector have been initialized.
> +        unsafe { buf.set_len(buf.len() + len) };
> +        Ok(())
> +    }
> +}
> +
> +/// A writer for [`UserSlice`].
> +///
> +/// Used to incrementally write into the user slice.
> +pub struct UserSliceWriter {
> +    ptr: *mut c_void,
> +    length: usize,
> +}
> +
> +impl UserSliceWriter {
> +    /// Returns the amount of space remaining in this buffer.
> +    ///
> +    /// Note that even writing less than this number of bytes may fail.
> +    pub fn len(&self) -> usize {
> +        self.length
> +    }
> +
> +    /// Returns `true` if no more data can be written to this buffer.
> +    pub fn is_empty(&self) -> bool {
> +        self.length =3D=3D 0
> +    }
> +
> +    /// Writes raw data to this user pointer from a kernel buffer.
> +    ///
> +    /// Fails with `EFAULT` if the write happens on a bad address.
> +    pub fn write_slice(&mut self, data: &[u8]) -> Result {
> +        let len =3D data.len();
> +        let data_ptr =3D data.as_ptr().cast::<c_void>();
> +        if len > self.length {
> +            return Err(EFAULT);
> +        }
> +        let Ok(len_ulong) =3D c_ulong::try_from(len) else {
> +            return Err(EFAULT);
> +        };
> +        let res =3D unsafe { bindings::copy_to_user(self.ptr, data_ptr, =
len_ulong) };

Missing SAFETY comment.

--=20
Cheers,
Benno

> +        if res !=3D 0 {
> +            return Err(EFAULT);
> +        }
> +        // Userspace pointers are not directly dereferencable by the ker=
nel, so
> +        // we cannot use `add`, which has C-style rules for defined beha=
vior.
> +        self.ptr =3D self.ptr.wrapping_byte_add(len);
> +        self.length -=3D len;
> +        Ok(())
> +    }
> +}
>=20
> --
> 2.44.0.478.gd926399ef9-goog
>=20