Re: [GIT PULL] usercopy whitelisting for v4.15-rc1

From: Lukas Wunner
Date: Tue Nov 21 2017 - 08:53:55 EST

On Mon, Nov 20, 2017 at 04:42:46PM -0800, Kees Cook wrote:
> I'm always trying to balance the requests from both ends of the
> security defense spectrum. One of the most common requests I get from
> people who are strongly interested in the defenses is "can this please
> be enabled by default?" And then I have to explain that it sometimes
> takes time for code to shake out, and it sometimes takes time for
> developers to trust it, etc. This is rarely a comfort to them, but
> they tend to be glad they can turn some config knob to enable the
> "strongest" version, etc, because for them, a false positive is no big
> deal. At the other end is the requirement that new stuff should not
> break the system. Both are reasonable perspectives, but if we violate
> the latter, the defense will never end up in the kernel in the first
> place.

I think Linus' objections must be seen in a broader context,
the last months we've seen a large influx of semi-automatically
generated hardening patches (constification mostly); The volume
of these was at times overwhelming, in some cases they were dropped
on the mailing lists in a fire-and-forget fashion and there are
multiple documented cases where these patches broke things and the
community was left to repair the fallout.

When LWN published the 4.14 patch statistics (which some contributors
seem to mistake for a high score), Alexandre Belloni (+cc) rightfully
raised a complaint and included links to some of the broken patches:

There is a growing sense that hardening patches (which are generally
desirable of course) are forced into the kernel without due diligence.
Objections against tone notwithstanding, making that concern known in
a form with greater visibility than an LWN comment was appropriate by

It is most unfortunate that these concerns happened to be adressed to
you personally and stalled your patches (the quality of which I cannot
judge), even though they must (in my opinion) be interpreted in the
context of this larger issue.

It is likewise most unfortunate that this allowed bloggers, journalists
and HN know-it-alls with zero commits in the kernel and zero participation
on the mailing lists to focus on tone and whatnot, but completely
ignore what this is really about.