Re: [CHECKER] copy_*_user length bugs?

Russell King (rmk@arm.linux.org.uk)
Wed, 18 Apr 2001 14:00:59 +0100


On Wed, Apr 18, 2001 at 12:14:56PM +0100, Chris Evans wrote:
> To justify this, consider if len were set to minus 2 billion. This will
> pass the sanity check, and pass the value straight on to copy_to_user. The
> copy_to_user parameter is unsigned, so this value because approximately
> +2Gb.

For ARM, this isn't a problem (we do 33-bit arithmetic in access_ok
specifically to catch this type of thing). x86 does the same thing (or
did when I wrote the code for ARM.

> Now, providing the malicious user passes a low user space pointer (e.g.
> just above 0), the kernel's virtual address space wrap check will not
> trigger because ~0 + ~2Gb does not exceed 4G. And the result is the user
> being able to read kernel memory.

But ~0 + ~2GB = ~2GB. Last time I checked, ~2GB is less than 3GB, and 3GB
is the start of kernel memory on x86. Therefore, I don't see that the
user will be able to read kernel memory.

--
Russell King (rmk@arm.linux.org.uk)                The developer of ARM Linux
             http://www.arm.linux.org.uk/personal/aboutme.html

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/