linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	Paolo Bonzini <pbonzini@redhat.com>
Cc: David Windsor <dave@nullcore.net>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
Date: Fri, 17 Nov 2017 12:35:28 -0800	[thread overview]
Message-ID: <CAGXu5jL=aowLRbn1QQaSXuSvmJrKos0msSXCmU18kqTRjy2gPA@mail.gmail.com> (raw)
In-Reply-To: <47222b54-cb13-2362-a525-714be2ba96de@redhat.com>

On Fri, Nov 17, 2017 at 9:45 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> On 17/11/2017 18:35, Linus Torvalds wrote:
>> Honestly, I'm unlikely to pull this at all this merge window, simply
>> because I won't have time for it. This merge window is not going to be
>> one where I can take a leisurely look at something like this.
>>
>> If you can make a smaller pull request that introduces the
>> infrastructure, but that _obviously_ cannot actually break anything,
>> that would be more likely to be palatable.
>
> As someone that was actually bitten by this stuff, and had a closer look
> at the usercopy whitelisting stuff...  This one is really fail-fast
> (oopses all around if you forget to patch something), and with hardly

This is why I introduced the fallback mode: with both kvm and sctp
(ipv6) not noticed until late in the development cycle, I became much
less satisfied it had gotten sufficient testing. I wanted to make sure
there was a way for the series to land without actually breaking
things due to any missed whitelists.

> any configuration dependency.  It's certainly a lot less scary to me
> than the GCC plugin stuff.

Agreed: this is a different type of change entirely. The GCC plugins
tend to be pretty invasive and non-discoverable. I prefer stuff like
this series, which is all visible in the code.

> But I don't want to ruin your Thanksgiving, so if Kees and/or you choose
> not to do this pull request---please do pull a subset, even after -rc1.
> It's easy enough to drop the final patch that changes whitelisting to
> blacklisting, and it'd be one less series bouncing around and touching
> files in several subsystems.

With the fallback mode, missed whitelists generate a WARN and are
allowed, so this series effectively only introduces tight controls on
the places where a whitelist is specifically introduced. And I went to
great lengths to document each whitelist usage in the commit logs.

I would agree it would be nice to get at least a subset of this in,
though. Linus, what would make you most comfortable?

-Kees

-- 
Kees Cook
Pixel Security

  reply	other threads:[~2017-11-17 20:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-17 16:54 [GIT PULL] usercopy whitelisting for v4.15-rc1 Kees Cook
2017-11-17 17:35 ` Linus Torvalds
2017-11-17 17:45   ` Paolo Bonzini
2017-11-17 20:35     ` Kees Cook [this message]
2017-11-17 21:13       ` Linus Torvalds
2017-11-17 22:19         ` Kees Cook
2017-11-20 19:50         ` Matthew Garrett
     [not found]           ` <CA+55aFyMtpYASreqGuRmJoB8isJnhOxsWMa4uoQu6WtBJDHU6A@mail.gmail.com>
2017-11-20 23:29             ` Matthew Garrett
2017-11-21  0:42               ` Kees Cook
2017-11-21 13:53                 ` Lukas Wunner
2017-11-21 17:22                   ` Randy Dunlap
2017-11-21 14:34           ` Linus Torvalds
2017-11-21 13:48         ` Jason A. Donenfeld
2017-11-21 15:25           ` Linus Torvalds
  -- strict thread matches above, loose matches on Subject: below --
2017-11-13  7:29 Kees Cook
2017-11-16  7:45 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5jL=aowLRbn1QQaSXuSvmJrKos0msSXCmU18kqTRjy2gPA@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=dave@nullcore.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).