From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DDD2EC4332F
	for <linux-mm@archiver.kernel.org>; Mon, 13 Dec 2021 23:50:57 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 670286B0071; Mon, 13 Dec 2021 18:50:47 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 61FAB6B0072; Mon, 13 Dec 2021 18:50:47 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4C0F26B0074; Mon, 13 Dec 2021 18:50:47 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0179.hostedemail.com [216.40.44.179])
	by kanga.kvack.org (Postfix) with ESMTP id 3DFB76B0071
	for <linux-mm@kvack.org>; Mon, 13 Dec 2021 18:50:47 -0500 (EST)
Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 01379181AC9C6
	for <linux-mm@kvack.org>; Mon, 13 Dec 2021 23:50:37 +0000 (UTC)
X-FDA: 78914418114.15.73C756B
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177])
	by imf27.hostedemail.com (Postfix) with ESMTP id 4908540012
	for <linux-mm@kvack.org>; Mon, 13 Dec 2021 23:50:36 +0000 (UTC)
Received: by mail-pl1-f177.google.com with SMTP id m24so12295097pls.10
        for <linux-mm@kvack.org>; Mon, 13 Dec 2021 15:50:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=M8qzJ3yaQUt3fhw0wDUyieRIIV2hCPg9kOjRhn0IYfc=;
        b=DU/1gqEDAUmFc3BsWsCuKmEQA89OevyS+ZE+fe4SLlcos56JGBYPiJf6MsEUPJQva4
         zy9Len7mjkFDNE/Z2jR+fLdaZDDbpMbjjPNNP0n/YYXwEXHc0CMRZugZUIL453f9YVgd
         tmlb9EmU7ynUiOn/vW6c33uallsvC7pcPngho=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=M8qzJ3yaQUt3fhw0wDUyieRIIV2hCPg9kOjRhn0IYfc=;
        b=YA/AVugs5UxRRbbRGEIWGSU8Q9KCKEyIkZRu6FSlIWfuIyKkR7IpUKGZXM1ZrTHGSW
         1YrFLTphQIvUQjrpQRvDzh2VuguJRSjHBsvdudupf120XmKxVNqMGidH5tcNbw3nT0WX
         cD9uCaZUWX/ufvfeIf/SIBG4a5VgP5MwM633/mit3RIIgy0ggCRsLES0W2Yvz6DrLYDa
         Vr9lO0E8OsLz6VZD9KQyXscpRYSIQgjsmNF5pR1jPNY/PljOdKsKfFJbyML6Haeb73oz
         VCX88XcZEOzKOOHdrsfybNrdhwdpTzKsE34OH6ysOhAePLuUH0bwZnHdprhCFqcZb4US
         YR/g==
X-Gm-Message-State: AOAM532pUeovH2wx78GQVd/dZt/uSrEvAZwmgZCWlX2AHabbpFyYyFjD
	nlMuHTpAM9BT56ZNLGofJ0bEgNYnUiZTjw==
X-Google-Smtp-Source: ABdhPJylvEaXH/dky2c6rIorneQNExvenDLG1q1Irh5hq0K925DayU5WBzMG3XvTheYRhJJ1NymI3g==
X-Received: by 2002:a17:902:e5d0:b0:141:cdfe:97d7 with SMTP id u16-20020a170902e5d000b00141cdfe97d7mr2075999plf.65.1639439435597;
        Mon, 13 Dec 2021 15:50:35 -0800 (PST)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id y9sm201232pjt.27.2021.12.13.15.50.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 13 Dec 2021 15:50:35 -0800 (PST)
Date: Mon, 13 Dec 2021 15:50:34 -0800
From: Kees Cook <keescook@chromium.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: linux-mm@kvack.org, Thomas Gleixner <tglx@linutronix.de>,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH v3 3/3] mm/usercopy: Detect compound page overruns
Message-ID: <202112131548.F76CB37@keescook>
References: <20211213142703.3066590-1-willy@infradead.org>
 <20211213142703.3066590-4-willy@infradead.org>
 <202112131249.0D2A4A2C7@keescook>
 <Ybfa4RV4fRkgjh8D@casper.infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Ybfa4RV4fRkgjh8D@casper.infradead.org>
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 4908540012
X-Stat-Signature: eu95xz1nmiikap9a8m7nmu5djyusu9pj
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b="DU/1gqED";
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.177 as permitted sender) smtp.mailfrom=keescook@chromium.org
X-HE-Tag: 1639439436-754668
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000273, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Dec 13, 2021 at 11:44:33PM +0000, Matthew Wilcox wrote:
> On Mon, Dec 13, 2021 at 12:52:22PM -0800, Kees Cook wrote:
> > On Mon, Dec 13, 2021 at 02:27:03PM +0000, Matthew Wilcox (Oracle) wrote:
> > > Move the compound page overrun detection out of
> > > CONFIG_HARDENED_USERCOPY_PAGESPAN so it's enabled for more people.
> > 
> > I'd argue that everything else enabled by USERCOPY_PAGESPAN could be
> > removed now too. Do you want to add a 4th patch to rip that out?
> > 
> > https://github.com/KSPP/linux/issues/163
> 
> I don't mind ... is it your assessment that it's not worth checking for
> a copy_to/from_user that spans a boundary between a reserved and
> !reserved page, or overlaps the boundary of rodata/bss/data/CMA?
> 
> I have no basis on which to judge that, so it's really up to you.

It's always been a problem because some arch mark the kernel as reserved,
so we have to do all the allow-listing first, which is tedious. I'd
certainly like to add all the checks possible, but rationally, we need
to keep only the stuff that is fast, useful, or both. PAGESPAN has been
disabled almost everywhere, too, so I don't think it's a loss.

-- 
Kees Cook