On Wed, Apr 10, 2019 at 02:57:46PM -0700, Kees Cook wrote: > On Wed, Apr 10, 2019 at 12:07 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > That didn't answer my question. My question is what is the purpose of this? If > > there was actual buffer overflow when __GFP_COMP isn't specified that would make > > perfect sense, but AFAICS there isn't. So why does hardened usercopy consider > > it broken when __GFP_COMP isn't specified? > > The goal of CONFIG_HARDENED_USERCOPY_PAGESPAN was to detect copies > across page boundaries in memory allocated by the page allocator. > There appear to be enough cases of allocations that span pages but do > not mark them with __GFP_COMP, so this logic hasn't proven useful in > the real world (which is why no one should use the ..._PAGESPAN config > in production). I'd like to get the kernel to the point where hardened > usercopy can correctly do these checks (right now it's mainly only > useful at checking for overflows in slub and slab), but it'll take > time/focus for a while. No one has had time yet to track all of these > down and fix them. (I defer to Laura and Rik on the design of the > pagespan checks; they did the bulk of the work there.) > > Does that help explain it, or am I still missing your question? > > -- > Kees Cook You've explained *what* it does again, but not *why*. *Why* do you want hardened usercopy to detect copies across page boundaries, when there is no actual buffer overflow? - Eric