On Tue, Dec 12, 2017 at 3:11 AM, Dave Martin <Dave.Martin@xxxxxxx> wrote: > On Tue, Dec 12, 2017 at 10:40:30AM +0000, Will Deacon wrote: >> On Mon, Dec 11, 2017 at 11:23:09AM -0800, Kees Cook wrote: >> > On Mon, Dec 11, 2017 at 6:07 AM, Will Deacon <will.deacon@xxxxxxx> wrote: >> > > On Thu, Dec 07, 2017 at 10:50:38AM -0800, Kees Cook wrote: >> > >> My question is mainly: why not just use copy_*() everywhere instead? >> > >> Having these things so spread out makes it fragile, and there's very >> > >> little performance benefit from using __copy_*() over copy_*(). >> > > >> > > I think that's more of a general question. Why not just remove the __ >> > > versions from the kernel entirely if they're not worth the perf? >> > >> > That has been something Linus has strongly suggested in the past, so >> > I've kind of been looking for easy places to drop the __copy_* >> > versions. :) >> >> Tell you what then: I'll Ack the arm64 patch if it's part of a series >> removing the thing entirely :p >> >> I guess we'd still want to the validation of the whole sigframe though, >> so we don't end up pushing half a signal stack before running into an >> access_ok failure? > > That's an interesting question. In many cases access_ok() might become > redundant, but for syscalls that you don't want to have side-effects > on user memory on failure it's still relevant. > > In the signal case we'd still an encompassing access_ok() to prevent > stack guard overruns, because the signal frame can be large and isn't > written or read contiguously or in a well-defined order. Yeah, I think bailing early is fine. I think the existing access_ok() checks are fine; I wouldn't want to drop those. -Kees -- Kees Cook Pixel Security
