Re: Question on "uaccess: Add strict non-pagefault kernel-space read function"

[Daniel Borkmann]

On 4/4/20 11:31 AM, Christoph Hellwig wrote:
> On Fri, Apr 03, 2020 at 04:20:24PM +0200, Daniel Borkmann wrote:
> > With crazy old functions I presume you mean the old bpf_probe_read()
> > which is mapped to BPF_FUNC_probe_read helper or something else entirely?
>
> I couldn't care less about bpf, this is about the kernel API.
>
> What I mean is that your new probe_kernel_read_strict and
> strncpy_from_unsafe_strict helpers are good and useful.  But for this
> to actually make sense we need to get rid of the non-strict versions,
> and we also need to get rid of some of the weak alias magic.

Yeah agree, the probe_kernel_read() should do the strict checks by default
and there would need to be some way to opt-out for the legacy helpers to
not break. So it would end up looking like the below ...

long __probe_kernel_read(void *dst, const void *src, size_t size)
{
        long ret = -EFAULT;
        mm_segment_t old_fs = get_fs();

        set_fs(KERNEL_DS);
        if (kernel_range_ok(src, size))
                ret = probe_read_common(dst, (__force const void __user *)src, size);
        set_fs(old_fs);

        return ret;
}

... where archs with non-overlapping user and kernel address range would
only end up having to implementing kernel_range_ok() check. Or, instead of
a generic kernel_range_ok() this could perhaps be more probing-specific as
in probe_kernel_range_ok() where this would then also cover the special
cases we seem to have in parisc and um. Then, this would allow to get rid
of all the __weak aliasing as well which may just be confusing. I could look
into coming up with something along these lines. Thoughts?