RE: [PATCH] x86: Allow user accesses to the base of the guard page

[David Laight]

From: Linus Torvalds
> Sent: 23 November 2024 19:03
> 
> On Sat, 23 Nov 2024 at 10:48, David Laight <David.Laight@xxxxxxxxxx> wrote:
> >
> > In that case access_ok(ptr, size) will check that 'ptr + size'
> > is a valid user address -
> 
> The point of USER_PTR_MAX is that the size never matters and we never
> check it. So the "-1" is basically just the minimal size.
> 
> And the code does actually depend on the fact that the access has to
> start *before* the boundary to work.

That is the boundary at the end of the guard page.

> Now, we do have that whole "at least PAGE_SIZE of guard page", and so
> the 1-byte minimal size doesn't actually matter, but I don't see the
> point of the change.
> 
> In particular, I don't see when it would matter to do access_ok(ptr,
> 0) in the first place. Who does that, and why would it make any sense?

The problem is that it is valid to pass a buffer that ends right
at the end of valid user memory.
In that case the 'ptr + size' that access_ok() checks is equal to
'TASK_SIZE_MAX' - and currently fails.

There is also an access_ok() check in iovec_import (or is it
import_iovec) that does a check on every fragment.
It is definitely valid to pass a zero length buffer there.
(That check is probably redundant.)

So access_ok() can't check 'ptr + size - 1' without an extra check
for zero length.
And, in any case, you wouldn't want to subtract one in every access_ok()
call.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)