Message ID | 20191016034432.4418-2-christian.brauner@ubuntu.com |
---|---|
State | Changes Requested |
Delegated to: | BPF Maintainers |
Headers | show |
Series | bpf: switch to new usercopy helpers | expand |
On Wed, Oct 16, 2019 at 05:44:30AM +0200, Christian Brauner wrote: > In v5.4-rc2 we added a new helper (cf. [1]) check_zeroed_user() which > does what bpf_check_uarg_tail_zero() is doing generically. We're slowly > switching such codepaths over to use check_zeroed_user() instead of > using their own hand-rolled version. > > [1]: f5a1a536fa14 ("lib: introduce copy_struct_from_user() helper") > Cc: Alexei Starovoitov <ast@kernel.org> > Cc: Daniel Borkmann <daniel@iogearbox.net> > Cc: bpf@vger.kernel.org > Acked-by: Aleksa Sarai <cyphar@cyphar.com> > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > --- > /* v1 */ > Link: https://lore.kernel.org/r/20191009160907.10981-2-christian.brauner@ubuntu.com > > /* v2 */ > Link: https://lore.kernel.org/r/20191016004138.24845-2-christian.brauner@ubuntu.com > - Alexei Starovoitov <ast@kernel.org>: > - Add a comment in bpf_check_uarg_tail_zero() to clarify that > copy_struct_from_user() should be used whenever possible instead. > > /* v3 */ > - Christian Brauner <christian.brauner@ubuntu.com>: > - use correct checks for check_zeroed_user() > --- > kernel/bpf/syscall.c | 25 +++++++++---------------- > 1 file changed, 9 insertions(+), 16 deletions(-) > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 82eabd4e38ad..40edcaeccd71 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -58,35 +58,28 @@ static const struct bpf_map_ops * const bpf_map_types[] = { > * There is a ToCToU between this function call and the following > * copy_from_user() call. However, this is not a concern since this function is > * meant to be a future-proofing of bits. > + * > + * Note, instead of using bpf_check_uarg_tail_zero() followed by > + * copy_from_user() use the dedicated copy_struct_from_user() helper which > + * performs both tasks whenever possible. > */ > int bpf_check_uarg_tail_zero(void __user *uaddr, > size_t expected_size, > size_t actual_size) > { > - unsigned char __user *addr; > - unsigned char __user *end; > - unsigned char val; > + size_t size = min(expected_size, actual_size); > + size_t rest = max(expected_size, actual_size) - size; > int err; > > if (unlikely(actual_size > PAGE_SIZE)) /* silly large */ > return -E2BIG; > > - if (unlikely(!access_ok(uaddr, actual_size))) > - return -EFAULT; > - > if (actual_size <= expected_size) > return 0; > > - addr = uaddr + expected_size; > - end = uaddr + actual_size; > - > - for (; addr < end; addr++) { > - err = get_user(val, addr); > - if (err) > - return err; > - if (val) > - return -E2BIG; > - } > + err = check_zeroed_user(uaddr + expected_size, rest); Just noticed this 'rest' math. I bet compiler can optimize unnecessary min+max, but let's save it from that job. Just do actual_size - expected_size here instead.
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 82eabd4e38ad..40edcaeccd71 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -58,35 +58,28 @@ static const struct bpf_map_ops * const bpf_map_types[] = { * There is a ToCToU between this function call and the following * copy_from_user() call. However, this is not a concern since this function is * meant to be a future-proofing of bits. + * + * Note, instead of using bpf_check_uarg_tail_zero() followed by + * copy_from_user() use the dedicated copy_struct_from_user() helper which + * performs both tasks whenever possible. */ int bpf_check_uarg_tail_zero(void __user *uaddr, size_t expected_size, size_t actual_size) { - unsigned char __user *addr; - unsigned char __user *end; - unsigned char val; + size_t size = min(expected_size, actual_size); + size_t rest = max(expected_size, actual_size) - size; int err; if (unlikely(actual_size > PAGE_SIZE)) /* silly large */ return -E2BIG; - if (unlikely(!access_ok(uaddr, actual_size))) - return -EFAULT; - if (actual_size <= expected_size) return 0; - addr = uaddr + expected_size; - end = uaddr + actual_size; - - for (; addr < end; addr++) { - err = get_user(val, addr); - if (err) - return err; - if (val) - return -E2BIG; - } + err = check_zeroed_user(uaddr + expected_size, rest); + if (err <= 0) + return err ?: -E2BIG; return 0; }