From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail6.bemta8.messagelabs.com (mail6.bemta8.messagelabs.com [216.82.243.55]) by kanga.kvack.org (Postfix) with ESMTP id 239726B0012 for ; Sun, 3 Jul 2011 15:11:30 -0400 (EDT) Received: from mail-wy0-f169.google.com (mail-wy0-f169.google.com [74.125.82.169]) (authenticated bits=0) by smtp1.linux-foundation.org (8.14.2/8.13.5/Debian-3ubuntu1.1) with ESMTP id p63JAoAg005389 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Sun, 3 Jul 2011 12:10:51 -0700 Received: by wyg36 with SMTP id 36so4125939wyg.14 for ; Sun, 03 Jul 2011 12:10:49 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20110703185709.GA7414@albatros> References: <20110703111028.GA2862@albatros> <20110703185709.GA7414@albatros> From: Linus Torvalds Date: Sun, 3 Jul 2011 12:10:29 -0700 Message-ID: Subject: Re: [RFC v1] implement SL*B and stack usercopy runtime checks Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-linux-mm@kvack.org List-ID: To: Vasiliy Kulikov Cc: kernel-hardening@lists.openwall.com, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Arnd Bergmann , Christoph Lameter , Pekka Enberg , Matt Mackall , Andrew Morton , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org On Sun, Jul 3, 2011 at 11:57 AM, Vasiliy Kulikov wrote: >> If you seriously clean it up (that at a minimum includes things like >> making it configurable using some pretty helper function that just >> compiles away for all the normal cases, > > Hm, it is not as simple as it looks at the first glance - even if the > object size is known at the compile time (__compiletime_object_size), it > might be a field of a structure, which crosses the slab object > boundaries because of an overflow. No, I was more talking about having something like #ifdef CONFIG_EXPENSIVE_CHECK_USERCOPY extern int check_user_copy(const void *kptr, unsigned long size); #else static inline int check_user_copy(const void *kptr, unsigned long size) { return 0; } #endif so that the actual user-copy routines end up being clean and not have #ifdefs in them or any implementation details like what you check (stack, slab, page cache - whatever) If you can also make it automatically not generate any code for cases that are somehow obviously safe, then that's an added bonus. But my concern is that performance is a real issue, and the strict user-copy checking sounds like mostly a "let's enable this for testing kernels when chasing some particular issue" feature, the way DEBUG_PAGEALLOC is. And at the same time, code cleanliness and maintainability is a big deal, so the usercopy code itself should have minimal impact and look nice regardless (which is why I strongly object to that kind of "(!slab_access_ok(to, n) || !stack_access_ok(to, n))" crud - the internal details of what you check are *totally* irrelevant to the usercopy code. Linus -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/ Don't email: email@kvack.org