Re: [GIT PULL] usercopy whitelisting for v4.15-rc1

[Linus Torvalds]

On Fri, Nov 17, 2017 at 8:54 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> (Sorry if this pull request is a duplicate: I just don't want to miss
> the merge window, given its potential for being shorter than usual.)

Honestly, these things always end up waiting to the end for me, simply
because they are scary, and I don't trust them, so I feel I need to
spend time on them.

And when I pull 20+ other pull requests a day, I don't have _time_ to
spend time on them.

They are scary because:

 - they touch core stuff

 - I don't trust security people to do sane things

 - they tend to come in as a "fait accompli" with a shit-ton of random
arbitrary rules, and are still likely to not be complete.

which just makes these pull requests very painful.

We had a ton of issues with the original hardened usercopy just doing
bad things.

We _still_ have outstanding issues with the structure randomization
corrupting the kernel.

These "hardening" things really seem to be a source of random bugs,
and they haven't been extensively tested, and the people involved
quite often don't seem to care about basic cleanliness (because
"security is so important that nothing else matters").

Honestly, I'm unlikely to pull this at all this merge window, simply
because I won't have time for it. This merge window is not going to be
one where I can take a leisurely look at something like this.

If you can make a smaller pull request that introduces the
infrastructure, but that _obviously_ cannot actually break anything,
that would be more likely to be palatable.

Because right now I'm in "the last hardening feature has an unknown
breakage that nobody knows how to even get to the bottom of, I'm _so_
not interested in another of these things" mode.

                 Linus