On Thu, Jan 11, 2018 at 9:01 AM, Theodore Ts'o [off-list ref] wrote:
On Wed, Jan 10, 2018 at 06:02:45PM -0800, Kees Cook wrote:
quoted
The ext4 symlink pathnames, stored in struct ext4_inode_info.i_data
and therefore contained in the ext4_inode_cache slab cache, need
to be copied to/from userspace.
Symlink operations to/from userspace aren't common or in the hot path,
and when they are in i_data, limited to at most 60 bytes. Is it worth
it to copy through a bounce buffer so as to disallow any usercopies
into struct ext4_inode_info?
If this is the only place it's exposed, yeah, that might be a way to
avoid the per-FS patches. This would, AIUI, require changing
readlink_copy() to include a bounce buffer, and that would require an
allocation. I kind of prefer just leaving the per-FS whitelists, as
then there's no global overhead added.
-Kees
--
Kees Cook
Pixel Security