Al Viro <[email protected]> writes: > On Fri, Apr 25, 2014 at 02:43:42PM -0700, Eric W. Biederman wrote: > >> ssize_t __vfs_read(struct file *file, char __user *buf, size_t count, loff_t >> *pos) >> { >> ssize_t ret; >> >> if (!(file->f_mode & FMODE_READ)) >> return -EBADF; >> if (!file->f_op->read && !file->f_op->aio_read) >> return -EINVAL; >> if (unlikely(!access_ok(VERIFY_WRITE, buf, count))) >> return -EFAULT; >> >> if (ret >= 0) { >> count = ret; >> if (file->f_op->read) >> ret = file->f_op->read(file, buf, count, pos); >> else >> ret = do_sync_read(file, buf, count, pos); >> } >> >> return ret; >> } > > ... which lacks the f_pos wraparound, etc. checks done by rw_verify_area(). > IOW, it's one more place to grep through while verifying that ->read() > et.al. do not get called with such arguments.
Agreed it must be done more delicately than my sketch. I am not familiar with how much value such sanity checks add. Especially when the read is not coming from a potentially hostile userspace. > fanotify probably could be skipped - ask the security circus crowd about > that one, it's their bast^Wbaby. When the point is having a factor of read that skips the security circus I think it makes sense to skip this too. At least as a starting position. > add_rchar() and inc_syscr()... depends on > whether you want those reads hidden from accounting. I doubt it matters in practice, the code is cheap. Still it feels wrong to account reads to a task that did not ask for them. It feels more correct to account that kind of read into a different bucket. Say the reads performed by the kernel for mysterious kernel activities. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
