For ARM, this isn't a problem (we do 33-bit arithmetic in access_ok
specifically to catch this type of thing). x86 does the same thing (or
did when I wrote the code for ARM.
> Now, providing the malicious user passes a low user space pointer (e.g.
> just above 0), the kernel's virtual address space wrap check will not
> trigger because ~0 + ~2Gb does not exceed 4G. And the result is the user
> being able to read kernel memory.
But ~0 + ~2GB = ~2GB. Last time I checked, ~2GB is less than 3GB, and 3GB
is the start of kernel memory on x86. Therefore, I don't see that the
user will be able to read kernel memory.
-- Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/