[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0703291134070.6730@woody.linux-foundation.org>
Date: Thu, 29 Mar 2007 11:37:03 -0700 (PDT)
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Jan Engelhardt <jengelh@...ux01.gwdg.de>
cc: "linux-os (Dick Johnson)" <linux-os@...logic.com>,
"Amit K. Arora" <aarora@...ux.vnet.ibm.com>,
akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-ext4@...r.kernel.org,
xfs@....sgi.com, suparna@...ibm.com, cmm@...ibm.com
Subject: Re: Interface for the new fallocate() system call
On Thu, 29 Mar 2007, Jan Engelhardt wrote:
>
> I have to disagree, since wrapping it into a struct and copying the struct
> in kernelspace from userspace requires more code.
Not just more code, but more security issues too.
Passing system call arguments by value means that there are no subtle
security issues - the value you use is the value you got. But once you
pass-by-reference, you have to make damn sure that you do the proper user
space accesses and verify the pointer correctly.
User-space (aka "user-supplied") pointers are just more dangerous. We
obviously can't avoid them, but they need much more care than just a
random value directly passed in a register.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists