Le 22/06/2025 à 18:57, Linus Torvalds a écrit :
On Sun, 22 Jun 2025 at 02:52, Christophe Leroy
<christophe.leroy@xxxxxxxxxx> wrote:
The results of "access_ok()" can be mis-speculated.
Hmm. This code is critical. I think it should be converted to use that
masked address thing if we have to add it here.
Ok, I'll add it.
And at some point this access_ok() didn't even exist, because we check
the addresses at iter creation time. So this one might be a "belt and
suspenders" check, rather than something critical.
(Although I also suspect that when we added ITER_UBUF we might have
created cases where those user addresses aren't checked at iter
creation time any more).
Let's take the follow path as an exemple:
snd_pcm_ioctl(SNDRV_PCM_IOCTL_WRITEI_FRAMES)
snd_pcm_common_ioctl()
snd_pcm_xferi_frames_ioctl()
snd_pcm_lib_write()
__snd_pcm_lib_xfer()
default_write_copy()
copy_from_iter()
_copy_from_iter()
__copy_from_iter()
iterate_and_advance()
iterate_and_advance2()
iterate_iovec()
copy_from_user_iter()
As far as I can see, none of those functions check the accessibility of
the iovec. Am I missing something ?
Christophe
