Re: [PATCH] Avoid buffer overflows in get_user_pages()
- From: Bodo Eggert <7eggert@xxxxxx>
- Date: Tue, 12 Feb 2008 09:34:16 +0100
Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@xxxxxxx> wrote:
Avoid buffer overflows in get_user_pages()
So I spent a while pounding my head against my monitor trying to figure
out the vmsplice() vulnerability - how could a failure to check for
*read* access turn into a root exploit? It turns out that it's a buffer
overflow problem which is made easy by the way get_user_pages() is
coded.
In particular, "len" is a signed int, and it is only checked at the
*end* of a do {} while() loop. So, if it is passed in as zero, the loop
will execute once and decrement len to -1. At that point, the loop will
proceed until the next invalid address is found; in the process, it will
likely overflow the pages array passed in to get_user_pages().
[...]
Can we just convert
do {
...
} while (len);
into
while (len) {
while (len > 0), if I understand this patch correctly.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- Prev by Date: Re: One minute delay when booting 2.6.24.1
- Next by Date: [PATCH] trivial: fix alignment of IP-Config output
- Previous by thread: Re: [PATCH] Avoid buffer overflows in get_user_pages()
- Next by thread: Re: [PATCH] Core driver for WM97xx touchscreens
- Index(es):
Relevant Pages
|
