[GIT PULL] usercopy fixes for v4.8-rc6-part2

[GIT PULL] usercopy fixes for v4.8-rc6-part2

[Kees Cook]

Hi,

Please pull these usercopy fixes for v4.8-rc6-part2.

Thanks!

-Kees

The following changes since commit ab29b33a84f6910ebf01a32f69a370886a4283dd:

  Merge tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux (2016-09-07 10:46:06 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.8-rc6-part2

for you to fetch changes up to 8e1f74ea02cf4562404c48c6882214821552c13f:

  usercopy: remove page-spanning test for now (2016-09-07 11:33:26 -0700)

----------------------------------------------------------------
- force check_object_size() to be inline too
- move page-spanning check behind a CONFIG since it's triggering false positives

----------------------------------------------------------------
Kees Cook (2):
      usercopy: force check_object_size() inline
      usercopy: remove page-spanning test for now

 include/linux/thread_info.h |  4 +--
 mm/usercopy.c               | 61 ++++++++++++++++++++++++++-------------------
 security/Kconfig            | 11 ++++++++
 3 files changed, 48 insertions(+), 28 deletions(-)

-- 
Kees Cook
Nexus Security

Re: [GIT PULL] usercopy fixes for v4.8-rc6-part2

[Linus Torvalds]

On Wed, Sep 7, 2016 at 11:36 AM, Kees Cook <keescook@chromium.org> wrote:
>
> - move page-spanning check behind a CONFIG since it's triggering false positives

Hmm. I pulled this, but looking at it I realized that

+       depends on !COMPILE_TEST

doesn't make any real sense to me.

All it does is make sure that "make allmodconfig" doesn't actually
test that the PAGESPAN code compiles.

It's not like that is a big cost for allmodconfig builds, but it does
mean that it gets less coverage.

And it really makes no sense to me. We *don't* want to run with that
option enabled normally.

I think what you actually meant was something like

+       depends on EXPERT

which means that it does *not* get enabled in normal user builds.

Hmm?

                  Linus

Re: [GIT PULL] usercopy fixes for v4.8-rc6-part2

[Kees Cook]

On Wed, Sep 7, 2016 at 12:15 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Wed, Sep 7, 2016 at 11:36 AM, Kees Cook <keescook@chromium.org> wrote:
>>
>> - move page-spanning check behind a CONFIG since it's triggering false positives
>
> Hmm. I pulled this, but looking at it I realized that
>
> +       depends on !COMPILE_TEST
>
> doesn't make any real sense to me.
>
> All it does is make sure that "make allmodconfig" doesn't actually
> test that the PAGESPAN code compiles.
>
> It's not like that is a big cost for allmodconfig builds, but it does
> mean that it gets less coverage.
>
> And it really makes no sense to me. We *don't* want to run with that
> option enabled normally.
>
> I think what you actually meant was something like
>
> +       depends on EXPERT
>
> which means that it does *not* get enabled in normal user builds.
>
> Hmm?

I guess that's true -- I was trying to think of a way to make sure it
didn't get tested by 0-day syscall fuzzer on a randconfig, since I
didn't want the noise. But now that I double-check this, yeah, it
looks like randconfig doesn't set COMPILE_TEST. Hmpf.

I will send another patch to flip this to EXPERT, and if 0-day finds
issues, I can add them to the __GPF_COMP hit-list. :P

-Kees

-- 
Kees Cook
Nexus Security

Re: [GIT PULL] usercopy fixes for v4.8-rc6-part2

[Kees Cook]

On Wed, Sep 7, 2016 at 2:32 PM, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Sep 7, 2016 at 12:15 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>> On Wed, Sep 7, 2016 at 11:36 AM, Kees Cook <keescook@chromium.org> wrote:
>>>
>>> - move page-spanning check behind a CONFIG since it's triggering false positives
>>
>> Hmm. I pulled this, but looking at it I realized that
>>
>> +       depends on !COMPILE_TEST
>>
>> doesn't make any real sense to me.
>>
>> All it does is make sure that "make allmodconfig" doesn't actually
>> test that the PAGESPAN code compiles.
>>
>> It's not like that is a big cost for allmodconfig builds, but it does
>> mean that it gets less coverage.
>>
>> And it really makes no sense to me. We *don't* want to run with that
>> option enabled normally.
>>
>> I think what you actually meant was something like
>>
>> +       depends on EXPERT
>>
>> which means that it does *not* get enabled in normal user builds.
>>
>> Hmm?
>
> I guess that's true -- I was trying to think of a way to make sure it
> didn't get tested by 0-day syscall fuzzer on a randconfig, since I
> didn't want the noise. But now that I double-check this, yeah, it
> looks like randconfig doesn't set COMPILE_TEST. Hmpf.
>
> I will send another patch to flip this to EXPERT, and if 0-day finds
> issues, I can add them to the __GPF_COMP hit-list. :P

Oh! Nevermind, I see you did that already. Thank you! :)

-Kees

-- 
Kees Cook
Nexus Security