lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 25 Oct 2006 11:59:05 -0700
From:	Suzuki K P <suzuki@...ibm.com>
To:	lkml <linux-kernel@...r.kernel.org>
Subject: Behaviour of compat_msgsnd/compat_msgrcv calls

Hi,

I have a question regarding the behaviour of the comapt_msgsnd/ 
compat_msgrcv ()s. Don't know if this has been discussed already or if 
as I could not find any threads in the archives. Please bear with me if 
this is really a stupid question.

  The maximum length of the message that can be sent or received in any 
of those functions above is MAXBUF-(sizeof (struct msgbuf)), where 
MAXBUF is 64k.

ipc/compat.c : compat_msgrcv()
         if (second < 0 || (second >= MAXBUF - sizeof(struct msgbuf)))
                           ^^^^^^
                 return -EINVAL;

Is this limit due to the buffer allocation in user space as below ?

  And the way we are doing this is by allocating a buffer of msgsize on 
the userspace stack using compat_alloc_user_space() instead of using the 
buffer provided by the user and later copying the result back to the 
user buffer.

         if (!version) {
            [...]
                 if (copy_from_user (&ipck, uptr, sizeof(ipck)))
                         goto out;
                 uptr = compat_ptr(ipck.msgp);
                 msgtyp = ipck.msgtyp;

         }

         p = compat_alloc_user_space(second + sizeof(struct msgbuf));

Do we really need this allocation ?

         err = sys_msgrcv(first, p, second, msgtyp, third);

Is there any specific reason behind this ? Can't we just use the user 
buffer directly instead of doing an additional copy_in_user ?
ie,
	err = sys_msgrcv(first, uptr, second, msgtyp, third);

Thanks,

-Suzuki
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ