Validate & Copy?

Posted Sep 4, 2025 6:57 UTC (Thu) by Wol (subscriber, #4433)
Parent article: Tracking trust with Rust in the kernel

My reaction on reading bits of this, was should you combine the validate and copy functions? So a user-space untrusted S could be copied into a validated kernel space T. This would then make clear that TOCTOU bugs are (absent other bugs) impossible, and also - by creating a slightly higher abstraction - make it easier for users of the API.

Cheers,
Wol

Validate & Copy?

Posted Sep 6, 2025 8:04 UTC (Sat) by lossin (subscriber, #177724) [Link]

I think we definitely can add functions to UserSliceReader that copy and validate in the same step. But we'll have to do that for every single way you can read untrusted data. Having a generic API that you can just plug untrusted values into should still exist for APIs that don't provide such a function themselves. There are also other use-cases for untrusted data, for example with UserSliceReader you might also just want to copy some bytes from one place in userspace to another and you wouldn't want to validate anything in between. So if we only had the copy & validate function, you would have to write an empty validation function for [u8].