On 2020-05-17, Christian Brauner <christian.brau...@ubuntu.com> wrote:
> Or... And that's more invasive but ultimately cleaner we v2 the whole
> thing so e.g. SECCOMP_IOCTL_NOTIF_RECV2, SECCOMP_IOCTL_NOTIF_SEND2, and
> embedd the size argument in the structs. Userspace sets the size
> argument, we use get_user() to get the size first and then
> copy_struct_from_user() to handle it cleanly based on that. A similar
> model as with sched (has other unrelated quirks because they messed up
> something too):
>
> static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr
> *attr)
> {
> u32 size;
> int ret;
>
> /* Zero the full structure, so that a short copy will be nice: */
> memset(attr, 0, sizeof(*attr));
>
> ret = get_user(size, &uattr->size);
> if (ret)
> return ret;
>
> /* ABI compatibility quirk: */
> if (!size)
> size = SCHED_ATTR_SIZE_VER0;
> if (size < SCHED_ATTR_SIZE_VER0 || size > PAGE_SIZE)
> goto err_size;
>
> ret = copy_struct_from_user(attr, sizeof(*attr), uattr, size);
> if (ret) {
> if (ret == -E2BIG)
> goto err_size;
> return ret;
> }
>
> We're probably the biggest user of this right now and I'd be ok with
> that change. If it's a v2 than whatever. :)I'm :+1: on a new version and switch to copy_struct_from_user(). I was a little surprised when I found out that user_notif doesn't do it this way a while ago (and although in theory it is userspace's fault, ideally we could have an API that doesn't have built-in footguns). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
signature.asc
Description: PGP signature
