>It seems to us that create_dev can only be called at boot time (the
>"__init" attribute), so devfs_name must be an untainted kernel pointer.
>The warning on line 437 isn't a real error.
>
>However, this pointer is finally passed into strncpy_from_user through the
>call chain [ sys_symlink (devfs_name, name) --> getname (oldname) -->
>do_getname(filename, _) --> strncpy_from_user (_, filename, _)]. Is it
>okay to call *_from_user functions with the second arguements untainted?
>What will access_ok(VERIFY_READ, src, 1) return?
>
>
The copy_{to,from}_user functions can access either user or kernel space.
after set_fs(KERNEL_DS), they access kernel space, after
set_fs(USER_DS), they access user space.
The initial boot thread starts with set_fs(KERNEL_DS), and is switched
back to set_fs(USER_DS) in search_binary_handler (fs/exec.c), called
during exec of /sbin/init.
--
Manfred
P.S.: On i386, you can access both kernel and user space after
set_fs(KERNEL_DS), or if you use __get_user() and bypass access_ok().
Thus the __get_user() in arch/i386/kernel/traps.c, function
show_registers is correct. This is the only instance I'm aware of where
this is used, and noone else should be doing that. It fails on other
archs, e.g. on sparc.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/