| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Mar 2007 22:50:58 +0300
From: Michael Tokarev <mjt@....msk.ru>
To: Eric Dumazet <dada1@...mosbay.com>
CC: Jiri Kosina <jikos@...os.cz>, Tomas M <tomas@...x.org>,
linux-kernel@...r.kernel.org
Subject: Re: [patch] [bugfix] loop.c
Eric Dumazet wrote:
[]
>
> MODULE_PARM_DESC(max_loop, "Maximum number of loop devices (1-16384)");
Speaking of which, I wonder... Here, and in many other places.
If some variable is marked as MODULE_PARAM (or whatever it is called
nowadays), used in module init routine, AND subsequently used for various
bound checks and loops...
Consider this:
MODULE_PARAM(n);
foo_init() {
mem = kmalloc(n * sizeof(void*));
..
}
foo_func() {
for (i = 0; i < n; ++i)
do_something_with_mem(mem[i])
}
and so on. Together with:
# modprobe foo n=10
# echo 20 > /sys/module/foo/parameters/n
After that, we have 10 entries in mem[], and
n is equal to 20, so the for-loop above will be
up to i=19. Which will reference unallocated
memory....
Amd I dreaming?
Thanks.
/mjt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists