On 24/10/2023 14:35, Akram Ahmad wrote:
The mmc_ioc_cmd and mmc_ioc_multi_cmd structs are used to hold information and data about an MMC ioctl.
The PCuABI uses 129-bit capabilities as user pointers, which means that the __u64 type must be replaced with the __kernel_uintptr_t type, which is large enough to hold capabilities, yet will remain 64-bit on other architectures. Additional modifications must be made to the copy routines, and some explicit checks on the permissions of the capabilities have also been added.
Signed-off-by: Akram Ahmad Akram.Ahmad@arm.com
drivers/mmc/core/block.c | 16 ++++++++++++---- include/uapi/linux/mmc/ioctl.h | 4 ++-- 2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index 8ded96ea629b..d027c70dc79b 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -454,7 +454,7 @@ static int get_mmc_ioc_cmd_from_compat64(struct mmc_ioc_cmd *native_cmd, native_cmd->data_timeout_ns = compat_cmd.data_timeout_ns; native_cmd->cmd_timeout_ms = compat_cmd.cmd_timeout_ms; native_cmd->__pad = compat_cmd.__pad;
- native_cmd->data_ptr = compat_cmd.data_ptr;
- native_cmd->data_ptr = (__kernel_uintptr_t)compat_ptr(compat_cmd.data_ptr);
return 0; } @@ -464,7 +464,7 @@ static int copy_mmc_ioc_cmd_from_user(struct mmc_ioc_cmd *to, void * __user src) if (in_compat64()) return get_mmc_ioc_cmd_from_compat64(to, src);
- if (copy_from_user(to, src, sizeof(*to)))
- if (copy_from_user_with_ptr(to, src, sizeof(*to))) return -EFAULT; return 0;
} @@ -481,6 +481,11 @@ static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user( goto out; }
- if (!check_user_ptr_read(&user->data_ptr, sizeof(user->data_ptr))) {
Explicit checking is only required in those rare cases where user memory is accessed via a kernel mapping. Here we are passing data_ptr to memdup_user(), which itself copies the user data using copy_from_user(), i.e. normal uaccess that already does the checking "for free".
This line should also give you a warning as &user->data_ptr is not a capability, it's a regular pointer (to a capability).
err = -EFAULT;goto idata_err;- }
- if (copy_mmc_ioc_cmd_from_user(&idata->ic, user)) { err = -EFAULT; goto idata_err;
@@ -497,7 +502,7 @@ static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user( return idata; }
- idata->buf = memdup_user(uaddr_to_user_ptr(idata->ic.data_ptr),
- idata->buf = memdup_user((void __user *)(idata->ic.data_ptr),
No need for parentheses around idata->ic.data_ptr.
idata->buf_bytes);if (IS_ERR(idata->buf)) { err = PTR_ERR(idata->buf); @@ -524,8 +529,11 @@ static int mmc_blk_ioctl_copy_to_user(struct mmc_ioc_cmd __user *ic_ptr, if (copy_to_user(response_uptr, ic->response, sizeof(ic->response))) return -EFAULT;
- if (!check_user_ptr_write((void __user *)ic->data_ptr, idata->buf_bytes))
Like above, we are using regular uaccess so no need for explicit checking.
return -EFAULT;- if (!idata->ic.write_flag) {
if (copy_to_user(uaddr_to_user_ptr(ic->data_ptr),
if (copy_to_user_with_ptr((void __user *)(ic->data_ptr), idata->buf, idata->buf_bytes))
Does idata->buf actually contain pointers? We should only use copy_*_user_with_ptr() when the data to be copied contains pointers.
return -EFAULT;} diff --git a/include/uapi/linux/mmc/ioctl.h b/include/uapi/linux/mmc/ioctl.h index e7401ade6822..6caf1239d993 100644 --- a/include/uapi/linux/mmc/ioctl.h +++ b/include/uapi/linux/mmc/ioctl.h @@ -46,7 +46,7 @@ struct mmc_ioc_cmd { __u32 __pad; /* DAT buffer */
- __u64 data_ptr;
- __kernel_uintptr_t data_ptr;
}; #define mmc_ioc_cmd_set_data(ic, ptr) ic.data_ptr = (__u64)(unsigned long) ptr @@ -57,7 +57,7 @@ struct mmc_ioc_cmd {
- @cmds: Array of commands with length equal to 'num_of_cmds'
*/ struct mmc_ioc_multi_cmd {
- __u64 num_of_cmds;
- __kernel_uintptr_t num_of_cmds;
That's not a pointer, no need to change its representation in PCuABI. __u64s in uapi headers often represent pointers but not quite always!
Kevin
struct mmc_ioc_cmd cmds[]; };