On Thu, Jan 11, 2018 at 9:01 AM, Theodore Ts'o <tytso@xxxxxxx> wrote: > On Wed, Jan 10, 2018 at 06:02:45PM -0800, Kees Cook wrote: >> The ext4 symlink pathnames, stored in struct ext4_inode_info.i_data >> and therefore contained in the ext4_inode_cache slab cache, need >> to be copied to/from userspace. > > Symlink operations to/from userspace aren't common or in the hot path, > and when they are in i_data, limited to at most 60 bytes. Is it worth > it to copy through a bounce buffer so as to disallow any usercopies > into struct ext4_inode_info? If this is the only place it's exposed, yeah, that might be a way to avoid the per-FS patches. This would, AIUI, require changing readlink_copy() to include a bounce buffer, and that would require an allocation. I kind of prefer just leaving the per-FS whitelists, as then there's no global overhead added. -Kees -- Kees Cook Pixel Security