Re: [CHECKER] 4 security holes in 2.4.4-ac8

Dawson Engler (engler@csl.Stanford.EDU)
Tue, 29 May 2001 15:57:53 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David S. Miller: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"
Previous message: Steve Whitehouse: "Re: [CHECKER] 84 bugs in 2.4.4/2.4.4-ac8 where NULL pointers are deref'd"
Next in thread: David S. Miller: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"
Reply: David S. Miller: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"
Reply: Ingo Molnar: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"

> > [BUG] raddr seems to be a user pointer, but is written at the end of
> > the system call.
> >
> > ipc/shm.c: ERROR: system call 'sys_shmat' derefs non-tainted param= 3
> >
> > asmlinkage long sys_shmat (int shmid, char *shmaddr, int shmflg, ulong *raddr)
> > {
> > struct shmid_kernel *shp;
> >
> >
> > ...
> > *raddr = (unsigned long) user_addr;
> > err = 0;
> > if (IS_ERR(user_addr))
> > err = PTR_ERR(user_addr);
> > return err;
>
> Believe it or not, this one is OK :-)
>
> All callers pass in a pointer to a local stack kernel variable
> in raddr.

Ah. I assumed that "sys_*" meant that all pointers were from user space ---
is this generally not the case? (Also, are there other functions called
directly from user space that don't have the sys_* prefix?)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David S. Miller: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"
Previous message: Steve Whitehouse: "Re: [CHECKER] 84 bugs in 2.4.4/2.4.4-ac8 where NULL pointers are deref'd"
Next in thread: David S. Miller: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"
Reply: David S. Miller: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"
Reply: Ingo Molnar: "Re: [CHECKER] 4 security holes in 2.4.4-ac8"