Just in order to bring your attention!
This is the patch patch for copy_user routine, you've discussed recently.
I'm attached updated patch, in order to pass 'checkpatch.pl' tool process smoothly.
Couple of extra whitespace has been removed and signed-off and acked-by lines
added.
Patch cleanly applies to current git tree.
-Anton
Vitaly Mayatskikh wrote:
> Bug in copy_user can be used from userspace on RHEL-4 and other
> distributions with similar kernel base (CVE-2008-0598). Patch with fixed
> copy_user attached, it falls into byte copy loop on faults and returns
> correct count for uncopied bytes. Patch also fixes incorrect passing of
> zero flag in copy_to_user (%eax was used instead of %ecx).
>
> Also there's script for systemtap, it tests corner cases in both
> copy_user realizations (unrolled and string).
>
>
>
> ------------------------------------------------------------------------
>
>
On Thu, 26 Jun 2008, Anton Arapov wrote:
>
> This is the patch patch for copy_user routine, you've discussed recently.
I don't think it works right.
Isn't this same routine also used for copy_in_user()? For that case both
source _and_ destination can fault, but your fixup routines assume that
onle one of them does (ie the fixup for a load-fault does a store for the
previously loaded valies, and assumes that it doesn't trap)
Also, I'd realy rather do this all by handling the "taul" case in C. We
already effectively have _half_ that support: the "clear end" flag ends up
calling our specialized memset() routine, but it would be much nicer if
we:
- extended the "clear end" flag to be not just "clear end", but also
which direction things are going.
- always call a (fixed) fixup-routine that is written in C (because
performance on a cycle basis no longer matters) that gets the remaining
length and the source and destination as arguments, along with the
"clear and direction flag".
- make that fixup routine do the byte-exact tests and any necessary
clearing (and return the possibly-fixed-up remaining length).
Notice how this way we still have _optimal_ performance for the case where
no fault happens, and we don't need any complex fixups in assembly code at
all - the only thing the asm routines need to do is to get the right
length (we already have this) and fix up the source/dest pointers (we
don't generally have this, although the zero-at-end fixes up the
destination pointer in order to zero it, of course).
Hmm?
Linus
Linus Torvalds <[email protected]> writes:
>> This is the patch patch for copy_user routine, you've discussed recently.
>
> I don't think it works right.
>
> Isn't this same routine also used for copy_in_user()? For that case both
> source _and_ destination can fault, but your fixup routines assume that
> onle one of them does (ie the fixup for a load-fault does a store for the
> previously loaded valies, and assumes that it doesn't trap)
Right. I've missed it... :(
> Also, I'd realy rather do this all by handling the "taul" case in C. We
> already effectively have _half_ that support: the "clear end" flag ends up
> calling our specialized memset() routine, but it would be much nicer if
> we:
>
> - extended the "clear end" flag to be not just "clear end", but also
> which direction things are going.
> - always call a (fixed) fixup-routine that is written in C (because
> performance on a cycle basis no longer matters) that gets the remaining
> length and the source and destination as arguments, along with the
> "clear and direction flag".
> - make that fixup routine do the byte-exact tests and any necessary
> clearing (and return the possibly-fixed-up remaining length).
>
> Notice how this way we still have _optimal_ performance for the case where
> no fault happens, and we don't need any complex fixups in assembly code at
> all - the only thing the asm routines need to do is to get the right
> length (we already have this) and fix up the source/dest pointers (we
> don't generally have this, although the zero-at-end fixes up the
> destination pointer in order to zero it, of course).
>
> Hmm?
Seems reasonable. However, we still need specialized memset() routine,
because, again, destination can fail. Thanks for the review, Linus!
--
wbr, Vitaly
On Thu, 26 Jun 2008, Vitaly Mayatskikh wrote:
>
> Seems reasonable. However, we still need specialized memset() routine,
> because, again, destination can fail. Thanks for the review, Linus!
Actually, the "zero at the end" case is only for copy_from_user() (at
least it _should_ be), so for the clearing-at-end you should be able to
use a regular memset().
But it's not a big deal either way. As long as we only get into the fixup
routine at exception time, and handle all the common cases fast (ie do the
32-byte unrolled thing etc optimally), the fixup routine can do everything
a byte at a time with "get_user()" and "put_user()" etc. The "fault at
copy_*_user()" case really isn't all that performance-sensitive, because
it really happens essentially _never_.
(That's obviously why nobody even noticed how broken they were for
essentially what must have been _years_. It's not just not a performance
sensitive area, it's one that is entered so seldom that it's hard to ever
hit any correctness issues either)
Linus