VFS read/write access under KERNEL_DS

Basically, there are a few places in the kernel (sys_splice() is the most interesting one, but there are others) that call VFS read/write handlers under KERNEL_DS, so that copy_to_user()/copy_from_user() can also access kernel memory; all the copy_to_user()/copy_from_user() calls in VFS read/write context can be treated as essentially equivalent to __copy_from_user()/__copy_to_user(). The buffer/length pair provided to the read/write handler is guaranteed to be safe, but if you either access other random addresses or access the provided buffer beyond the provided length, bad stuff happens.

One particularly annoying thing about this kind of bug is that KASAN doesn't see the bogus access, and pagefaults on kernel addresses don't trigger oopses (because they are treated as userspace faults, so you just get -EFAULT). So if you hit this kind of bug with something like a fuzzer, you're unlikely to actually notice anything. I wonder whether I should try to write a patch to change that... maybe let the pagefault handler ignore uaccess fixups when KERNEL_DS is active, with an exception for __probe_kernel_read/__probe_kernel_write or so?

Another slightly related bug, from 2016: https://bugs.chromium.org/p/project-zero/issues/detail?id... - this one wasn't in VFS context, but in handler code for performance counter overflows, which can trigger in pretty much any context.

Another related bug (not from me): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/... - this one is an overflow beyond the end of the provided buffer in a debugfs read handler; if you are root and fiddle around with splice a bit, you can get this to overflow beyond the pipe page, crashing the machine.