From: Kees Cook > Sent: 15 July 2016 22:44 > This is a start of the mainline port of PAX_USERCOPY[1]. ... > - if address range is in the current process stack, it must be within the > current stack frame (if such checking is possible) or at least entirely > within the current process's stack. ... That description doesn't seem quite right to me. I presume the check is: Within the current process's stack and not crossing the ends of the current stack frame. The 'current' stack frame is likely to be that of copy_to/from_user(). Even if you use the stack of the caller, any problematic buffers are likely to have been passed in from a calling function. So unless you are going to walk the stack (good luck on that) I'm not sure checking the stack frames is worth it. I'd also guess that a lot of copies are from the middle of structures so cannot fail the tests you are adding. David ��.n��������+%������w��{.n�����{�����ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f