From: David Laight <David.Laight@ACULAB.COM>
To: 'Willem de Bruijn' <willemdebruijn.kernel@gmail.com>,
Breno Leitao <leitao@debian.org>
Cc: "axboe@kernel.dk" <axboe@kernel.dk>,
"davem@davemloft.net" <davem@davemloft.net>,
"edumazet@google.com" <edumazet@google.com>,
"kuba@kernel.org" <kuba@kernel.org>,
"pabeni@redhat.com" <pabeni@redhat.com>,
"courmisch@gmail.com" <courmisch@gmail.com>,
"nhorman@tuxdriver.com" <nhorman@tuxdriver.com>,
"asml.silence@gmail.com" <asml.silence@gmail.com>,
"alex.aring@gmail.com" <alex.aring@gmail.com>,
"dccp@vger.kernel.org" <dccp@vger.kernel.org>,
"mptcp@lists.linux.dev" <mptcp@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"matthieu.baerts@tessares.net" <matthieu.baerts@tessares.net>,
"marcelo.leitner@gmail.com" <marcelo.leitner@gmail.com>,
"linux-wpan@vger.kernel.org" <linux-wpan@vger.kernel.org>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
"leit@fb.com" <leit@fb.com>,
"dsahern@kernel.org" <dsahern@kernel.org>
Subject: RE: [PATCH 1/1] net: ioctl: Use kernel memory on protocol ioctl callbacks
Date: Sat, 20 May 2023 13:02:57 +0000 [thread overview]
Message-ID: <ab85b4420e93475dacd5e18017704b24@AcuMS.aculab.com> (raw)
In-Reply-To: <CAF=yD-Jj6dvyOskL+F52_aaaCovVTcpoYSCeMY7xH=FK7r3Jiw@mail.gmail.com>
From: Willem de Bruijn
> Sent: 19 May 2023 16:09
...
> Since that is a limited well understood list, I'm not in favor of the
> suggestion to add an explicit length argument that then needs to be
> checked in each callee.
While calls from userspace and direct calls from drivers can be
reasonably expected to have the required length buffer, I'm
not sure that is guaranteed for indirect calls via io_uring
and bpf.
In those cases the associated length is likely to come from
userspace and a suitably sized kernel buffer allocated.
So something needs to ensure the buffer is long enough
(and, indeed, not stupidly long).
Now you could require that the caller always supply a buffer
of at least (say) 64 bytes as well as the actual length.
Then only callee functions that have a long buffer need check.
An alternate option is to define a union of all the valid
argument types and require that any code making 'unknown'
requests supply a kernel buffer of that length.
(With due care taken to avoid overlong copies of uninitialised
kernel memory back to userspace.)
The same union would be useful as an upper bound for the
kernel buffer size - even if it is too large to always
allocate on stack.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2023-05-20 13:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-19 13:58 [PATCH 0/1] net: ioctl: Use kernel buffer on proto ioctl callbacks Breno Leitao
2023-05-19 13:58 ` [PATCH 1/1] net: ioctl: Use kernel memory on protocol " Breno Leitao
2023-05-19 14:22 ` David Laight
2023-05-19 15:09 ` Willem de Bruijn
2023-05-19 15:39 ` Breno Leitao
2023-05-19 17:04 ` Willem de Bruijn
2023-05-20 12:48 ` David Laight
2023-05-20 13:02 ` David Laight [this message]
2023-05-20 3:50 ` David Ahern
2023-05-19 15:15 ` [PATCH 0/1] net: ioctl: Use kernel buffer on proto " Jakub Kicinski
2023-05-19 15:19 ` Breno Leitao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ab85b4420e93475dacd5e18017704b24@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=alex.aring@gmail.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=courmisch@gmail.com \
--cc=davem@davemloft.net \
--cc=dccp@vger.kernel.org \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=leit@fb.com \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=matthieu.baerts@tessares.net \
--cc=mptcp@lists.linux.dev \
--cc=nhorman@tuxdriver.com \
--cc=pabeni@redhat.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).