[PATCH v3 00/11] mm: Hardened usercopy
From: David Laight <hidden>
Date: 2016-07-20 09:54:23
Also in:
linux-arch, linux-mm, linuxppc-dev, lkml, sparclinux
From: David Laight <hidden>
Date: 2016-07-20 09:54:23
Also in:
linux-arch, linux-mm, linuxppc-dev, lkml, sparclinux
From: Kees Cook
Sent: 15 July 2016 22:44 This is a start of the mainline port of PAX_USERCOPY[1].
...
- if address range is in the current process stack, it must be within the current stack frame (if such checking is possible) or at least entirely within the current process's stack.
... That description doesn't seem quite right to me. I presume the check is: Within the current process's stack and not crossing the ends of the current stack frame. The 'current' stack frame is likely to be that of copy_to/from_user(). Even if you use the stack of the caller, any problematic buffers are likely to have been passed in from a calling function. So unless you are going to walk the stack (good luck on that) I'm not sure checking the stack frames is worth it. I'd also guess that a lot of copies are from the middle of structures so cannot fail the tests you are adding. David