Re: [PATCH 13/38] ext4: Define usercopy region in ext4_inode_cache slab cache
From: Kees Cook
Date: Thu Jan 11 2018 - 18:05:26 EST
On Thu, Jan 11, 2018 at 9:01 AM, Theodore Ts'o <tytso@xxxxxxx> wrote:
> On Wed, Jan 10, 2018 at 06:02:45PM -0800, Kees Cook wrote:
>> The ext4 symlink pathnames, stored in struct ext4_inode_info.i_data
>> and therefore contained in the ext4_inode_cache slab cache, need
>> to be copied to/from userspace.
>
> Symlink operations to/from userspace aren't common or in the hot path,
> and when they are in i_data, limited to at most 60 bytes. Is it worth
> it to copy through a bounce buffer so as to disallow any usercopies
> into struct ext4_inode_info?
If this is the only place it's exposed, yeah, that might be a way to
avoid the per-FS patches. This would, AIUI, require changing
readlink_copy() to include a bounce buffer, and that would require an
allocation. I kind of prefer just leaving the per-FS whitelists, as
then there's no global overhead added.
-Kees
--
Kees Cook
Pixel Security