[PATCH v2 1/5] fs: use raw_copy_from_user() to copy mount() data

From: Peter Collingbourne
Date: Tue Nov 23 2021 - 00:17:17 EST


With uaccess logging the contract is that the kernel must not report
accessing more data than necessary, as this can lead to false positive
reports in downstream consumers. This generally works out of the box
when instrumenting copy_{from,to}_user(), but with the data argument
to mount() we use copy_from_user() to copy PAGE_SIZE bytes (or as
much as we can, if the PAGE_SIZE sized access failed) and figure out
later how much we actually need.

To prevent this from leading to a false positive report, use
raw_copy_from_user(), which will prevent the access from being logged.
Recall that it is valid for the kernel to report accessing less
data than it actually accessed, as uaccess logging is a best-effort
mechanism for reporting uaccesses.

Link: https://linux-review.googlesource.com/id/I5629b92a725c817acd9a861288338dd605cafee6
Signed-off-by: Peter Collingbourne <pcc@xxxxxxxxxx>
---
fs/namespace.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 659a8f39c61a..695b30e391f0 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3197,7 +3197,12 @@ static void *copy_mount_options(const void __user * data)
if (!copy)
return ERR_PTR(-ENOMEM);

- left = copy_from_user(copy, data, PAGE_SIZE);
+ /*
+ * Use raw_copy_from_user to avoid reporting overly large accesses in
+ * the uaccess buffer, as this can lead to false positive reports in
+ * downstream consumers.
+ */
+ left = raw_copy_from_user(copy, data, PAGE_SIZE);

/*
* Not all architectures have an exact copy_from_user(). Resort to
--
2.34.0.rc2.393.gf8c9666880-goog