Re: AUDIT: copy_from_user is a deathtrap.

Rusty Russell (rusty@rustcorp.com.au)
Sun, 19 May 2002 13:31:55 +1000


In message <Pine.LNX.4.44.0205181958140.30454-100000@home.transmeta.com> you wr
ite:
>
>
> On Sun, 19 May 2002, Rusty Russell wrote:
> >
> > Huh? No, you ask for 2000 bytes into a buffer that can only take 1000
> > bytes without hitting an unmapped page, returning EFAULT or giving a
> > SIGSEGV is perfectly acceptable.
>
> Bzzt, wrong answer.
>
> Partial reads/writes are perfectly possible and non-buggy for any system
> that uses variations of mmap/mprotect to implement user-level memory
> management, for example persistant data-bases, garbage collection etc.
>
> Which means that if half of a buffer used for "read()" just happens to be
> marked non-writable for some GC purpose, the kernel HAS to have the
> ability return the right answer (which in this case is to say "I could
> only read 1000 bytes"). Because anything else just doesn't give the GC
> library (or whatever) any way to recover nicely.

Um, what about delivering a SIGSEGV? So, copy_to/from_user always
returns 0, but a signal is delivered. Then the only places which need
to be clever are the mount option copying, and the signal delivery
code for SIGSEGV (which uses copy_to_user).

This has the benefit of not breaking existing kernel code, whichever
interpretation of the return value is used.

> > As a coder, I'd *really* prefer that to hiding the bug!
>
> Rusty, face it, you're wrong on this one. Just drop it.

That's certainly possible,
Rusty.

--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/