lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Mar 2007 22:50:58 +0300 From: Michael Tokarev <mjt@....msk.ru> To: Eric Dumazet <dada1@...mosbay.com> CC: Jiri Kosina <jikos@...os.cz>, Tomas M <tomas@...x.org>, linux-kernel@...r.kernel.org Subject: Re: [patch] [bugfix] loop.c Eric Dumazet wrote: [] > > MODULE_PARM_DESC(max_loop, "Maximum number of loop devices (1-16384)"); Speaking of which, I wonder... Here, and in many other places. If some variable is marked as MODULE_PARAM (or whatever it is called nowadays), used in module init routine, AND subsequently used for various bound checks and loops... Consider this: MODULE_PARAM(n); foo_init() { mem = kmalloc(n * sizeof(void*)); .. } foo_func() { for (i = 0; i < n; ++i) do_something_with_mem(mem[i]) } and so on. Together with: # modprobe foo n=10 # echo 20 > /sys/module/foo/parameters/n After that, we have 10 entries in mem[], and n is equal to 20, so the for-loop above will be up to i=19. Which will reference unallocated memory.... Amd I dreaming? Thanks. /mjt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists