Re: [PATCH] sysctl: Make sure proc handlers can't expose heap memory
From: Kees Cook
Date: Tue May 05 2020 - 19:23:19 EST
On Tue, May 05, 2020 at 10:03:27PM +0000, Luis Chamberlain wrote:
> On Tue, May 05, 2020 at 01:41:44PM -0700, Kees Cook wrote:
> > Right -- while it'd be nice if the developer noticed it, it is _usually_
> > an unsuspecting end user (or fuzzer), in which case we absolutely want a
> > WARN (and not a BUG![1]) and have the situations handled gracefully, so
> > it can be reported and fixed.
>
> I've been using WARN*() for this exact purpose before, so I am as
> surprised as you are bout these concerns. However if we have folks
I don't see any mismatch here: it's not user-reachable, which is what
Greg said. WARN is for non-user-reachable "impossible situations". We
want to know if those can be hit (via bad API usage, races, etc). If
it's reachable from userspace, then it can't be a WARN() any more and
needs to be pr_warn().
> shipping with panic-on-warn this would be rather detrimental to our
> goals.
>
> Greg, are you aware of folks shipping with panic-on-warn on some products?
People shipping with panic_on_warn are expecting to panic for WARNs like
this. :P
--
Kees Cook