On Thu, Jan 11, 2018 at 03:05:14PM -0800, Kees Cook wrote: > On Thu, Jan 11, 2018 at 9:01 AM, Theodore Ts'o <tytso@xxxxxxx> wrote: > > On Wed, Jan 10, 2018 at 06:02:45PM -0800, Kees Cook wrote: > >> The ext4 symlink pathnames, stored in struct ext4_inode_info.i_data > >> and therefore contained in the ext4_inode_cache slab cache, need > >> to be copied to/from userspace. > > > > Symlink operations to/from userspace aren't common or in the hot path, > > and when they are in i_data, limited to at most 60 bytes. Is it worth > > it to copy through a bounce buffer so as to disallow any usercopies > > into struct ext4_inode_info? > > If this is the only place it's exposed, yeah, that might be a way to > avoid the per-FS patches. This would, AIUI, require changing > readlink_copy() to include a bounce buffer, and that would require an > allocation. I kind of prefer just leaving the per-FS whitelists, as > then there's no global overhead added. I think Ted was proposing having a per-FS patch that would, say, copy up to 60 bytes to the stack, then memcpy it into the ext4_inode_info.