From: Kees Cook
Date: Fri Nov 18 2016 - 12:55:15 EST

On Fri, Nov 18, 2016 at 9:47 AM, Christoph Lameter <cl@xxxxxxxxx> wrote:
> On Thu, 17 Nov 2016, Michael Ellerman wrote:
>> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
>> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
> Well yes that was done so we do not add too many branches all over the
> kernel.....

There are actually very few callers of this macro. (Though it's
possible they're executed frequently.)

>> That no longer really works once we add the poison delta, so split it
>> into two checks. Assign x to a temporary to avoid evaluating it
>> twice (suggested by Kees Cook).
> And now you are doing just that.

In this case, what about the original < ZERO_SIZE_PTR check Michael
suggested? At least the one use in usercopy.c needs to be fixed, but
otherwise, it should be fine?


Kees Cook
Nexus Security