| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1JOqan-0000hX-1T@be1.7eggert.dyndns.org>
Date: Tue, 12 Feb 2008 09:34:16 +0100
From: Bodo Eggert <7eggert@....de>
To: Andrew Morton <akpm@...ux-foundation.org>,
Jonathan Corbet <corbet@....net>, linux-kernel@...r.kernel.org,
torvalds@...ux-foundation.org
Subject: Re: [PATCH] Avoid buffer overflows in get_user_pages()
Andrew Morton <akpm@...ux-foundation.org> wrote:
> On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@....net> wrote:
>> Avoid buffer overflows in get_user_pages()
>>
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit? It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>>
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop. So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1. At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().
[...]
> Can we just convert
>
> do {
> ...
> } while (len);
>
> into
>
> while (len) {
while (len > 0), if I understand this patch correctly.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists