From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 107744 invoked by alias); 25 Sep 2019 18:04:45 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 107735 invoked by uid 89); 25 Sep 2019 18:04:44 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-3.7 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.1 spammy=lift, H*i:sk:wjagt25, H*f:sk:wjagt25, H*i:sk:WQ@mail X-HELO: ZenIV.linux.org.uk Date: Wed, 25 Sep 2019 18:04:00 -0000 From: Al Viro To: Linus Torvalds Cc: Aleksa Sarai , Ingo Molnar , Peter Zijlstra , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Christian Brauner , Rasmus Villemoes , GNU C Library , Linux API , Linux Kernel Mailing List Subject: Re: [PATCH v1 1/4] lib: introduce copy_struct_from_user() helper Message-ID: <20190925180412.GK26530@ZenIV.linux.org.uk> References: <20190925165915.8135-1-cyphar@cyphar.com> <20190925165915.8135-2-cyphar@cyphar.com> <20190925172049.skm6ohnnxpofdkzv@yavin> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) X-SW-Source: 2019-09/txt/msg00427.txt.bz2 On Wed, Sep 25, 2019 at 10:48:31AM -0700, Linus Torvalds wrote: > On Wed, Sep 25, 2019 at 10:21 AM Aleksa Sarai wrote: > > > > Just to make sure I understand, the following diff would this solve the > > problem? If so, I'll apply it, and re-send in a few hours. > > Actually, looking at it more, it's still buggy. > > That final "size smaller than unsigned long" doesn't correctly handle > the case of (say) a single byte in the middle of a 8-byte word. > > So you need to do something like this: > > int is_zeroed_user(const void __user *from, size_t size) > { > unsigned long val, mask, align; > > if (unlikely(!size)) > return true; > > if (!user_access_begin(from, size)) > return -EFAULT; > > align = (uintptr_t) from % sizeof(unsigned long); > from -= align; > size += align; > > mask = ~aligned_byte_mask(align); > > while (size >= sizeof(unsigned long)) { > unsafe_get_user(val, (unsigned long __user *) from, err_fault); > val &= mask; > if (unlikely(val)) > goto done; > mask = ~0ul; > from += sizeof(unsigned long); > size -= sizeof(unsigned long); > } > > if (size) { > /* (@from + @size) is unaligned. */ > unsafe_get_user(val, (unsigned long __user *) from, err_fault); > mask &= aligned_byte_mask(size); > val &= mask; > } IMO it's better to lift reading the first word out of the loop, like this: align = (uintptr_t) from % sizeof(unsigned long); from -= align; unsafe_get_user(val, (unsigned long __user *) from, err_fault); if (align) { size += align; val &= ~aligned_byte_mask(align); } while (size > sizeof(unsigned long)) { if (unlikely(val)) goto done; from += sizeof(unsigned long); size -= sizeof(unsigned long); unsafe_get_user(val, (unsigned long __user *) from, err_fault); } if (size != size(unsigned long)) val &= aligned_byte_mask(size); done: Do you see any problems with that variant?