Re: AUDIT: copy_from_user is a deathtrap.

Rusty Russell (rusty@rustcorp.com.au)
Sun, 19 May 2002 14:01:25 +1000


In message <20020518200540.N8794@work.bitmover.com> you write:
> On Sat, May 18, 2002 at 08:01:48PM -0700, Linus Torvalds wrote:
> > On Sun, 19 May 2002, Rusty Russell wrote:
> > >
> > > Huh? No, you ask for 2000 bytes into a buffer that can only take 1000
> > > bytes without hitting an unmapped page, returning EFAULT or giving a
> > > SIGSEGV is perfectly acceptable.
> >
> > Bzzt, wrong answer.
>
> Linus is absolutely right. The correct semantics are to return the number
> of bytes read, if they are greater than zero, and on the next read return
> the error. This has been a corner case in read for a long time in various
> Unix versions, and Linus has it right. I went through this back at Sun
> and we explored all the different ways, and the bottom line is that you
> first ACK that you moved some data and then you NAK on the next read.

It's interesting to look at this backwards:

Imagine if copy_to_user returned void and delivered a SIGSEGV
on fault, and always had.

Now, to fix this, we'd want to add new code paths to the 5,500
callers throughout the kernel.

I'm pretty sure everyone would balk. They'd say "sorry, you're going
to have to wrap your syscalls somehow".

But as we all know, it is harder to remove a feature from Linux, than
to get the camel book through the eye of a needle (or something).

Oh well,
Rusty.

--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/