Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752634AbeAKXFU (ORCPT + 1 other); Thu, 11 Jan 2018 18:05:20 -0500 Received: from mail-ua0-f193.google.com ([209.85.217.193]:40498 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750782AbeAKXFQ (ORCPT ); Thu, 11 Jan 2018 18:05:16 -0500 X-Google-Smtp-Source: ACJfBot8p3aYf/ogvGTnDs/augCuborjVhWheEH8HjXHag5tszTkSelo2iyiu8svhqFFaW8qYj4ENxMOn7HSzfDvK4M= MIME-Version: 1.0 In-Reply-To: <20180111170119.GB19241@thunk.org> References: <1515636190-24061-1-git-send-email-keescook@chromium.org> <1515636190-24061-14-git-send-email-keescook@chromium.org> <20180111170119.GB19241@thunk.org> From: Kees Cook Date: Thu, 11 Jan 2018 15:05:14 -0800 X-Google-Sender-Auth: dcmitCWlM6BfBC3oHozoNe0BKmQ Message-ID: Subject: Re: [PATCH 13/38] ext4: Define usercopy region in ext4_inode_cache slab cache To: "Theodore Ts'o" , Kees Cook , LKML , David Windsor , Andreas Dilger , Ext4 Developers List , Linus Torvalds , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , "linux-fsdevel@vger.kernel.org" , linux-arch , Network Development , Linux-MM , kernel-hardening@lists.openwall.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, Jan 11, 2018 at 9:01 AM, Theodore Ts'o wrote: > On Wed, Jan 10, 2018 at 06:02:45PM -0800, Kees Cook wrote: >> The ext4 symlink pathnames, stored in struct ext4_inode_info.i_data >> and therefore contained in the ext4_inode_cache slab cache, need >> to be copied to/from userspace. > > Symlink operations to/from userspace aren't common or in the hot path, > and when they are in i_data, limited to at most 60 bytes. Is it worth > it to copy through a bounce buffer so as to disallow any usercopies > into struct ext4_inode_info? If this is the only place it's exposed, yeah, that might be a way to avoid the per-FS patches. This would, AIUI, require changing readlink_copy() to include a bounce buffer, and that would require an allocation. I kind of prefer just leaving the per-FS whitelists, as then there's no global overhead added. -Kees -- Kees Cook Pixel Security