[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180625164109.GF30522@ZenIV.linux.org.uk>
Date: Mon, 25 Jun 2018 17:41:09 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Jann Horn <jannh@...gle.com>
Cc: Richard Henderson <rth@...ddle.net>,
Ivan Kokshaysky <ink@...assic.park.msu.ru>,
Matt Turner <mattst88@...il.com>,
"David S. Miller" <davem@...emloft.net>,
linux-kernel@...r.kernel.org,
"Eric W. Biederman" <ebiederm@...ssion.com>,
linux-alpha@...r.kernel.org, sparclinux@...r.kernel.org,
security@...nel.org, Christoph Hellwig <hch@...radead.org>,
Serge Hallyn <serge@...lyn.com>
Subject: Re: [PATCH] sys: don't hold uts_sem while accessing userspace memory
On Mon, Jun 25, 2018 at 06:34:10PM +0200, Jann Horn wrote:
> + char tmp[32];
>
> - if (namelen > 32)
> + if (namelen < 0 || namelen > 32)
> namelen = 32;
>
> down_read(&uts_sem);
> kname = utsname()->domainname;
> len = strnlen(kname, namelen);
> - if (copy_to_user(name, kname, min(len + 1, namelen)))
> - err = -EFAULT;
> + len = min(len + 1, namelen);
> + memcpy(tmp, kname, len);
> up_read(&uts_sem);
>
> - return err;
> + if (copy_to_user(name, tmp, len))
> + return -EFAULT;
Infoleak, and similar in a lot of other places.
Powered by blists - more mailing lists