Thread (33 messages) 33 messages, 7 authors, 2016-07-21

[PATCH v3 00/11] mm: Hardened usercopy

From: David Laight <hidden>
Date: 2016-07-20 09:54:23
Also in: linux-arch, linux-mm, linuxppc-dev, lkml, sparclinux

From: Kees Cook
Sent: 15 July 2016 22:44
This is a start of the mainline port of PAX_USERCOPY[1]. 
...
- if address range is in the current process stack, it must be within the
  current stack frame (if such checking is possible) or at least entirely
  within the current process's stack.
...

That description doesn't seem quite right to me.
I presume the check is:
  Within the current process's stack and not crossing the ends of the
  current stack frame.

The 'current' stack frame is likely to be that of copy_to/from_user().
Even if you use the stack of the caller, any problematic buffers
are likely to have been passed in from a calling function.
So unless you are going to walk the stack (good luck on that)
I'm not sure checking the stack frames is worth it.

I'd also guess that a lot of copies are from the middle of structures
so cannot fail the tests you are adding.

	David
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help