>Manfred Spraul <manfred@colorfullife.com> writes:
>
>
>
>>P.S.: On i386, you can access both kernel and user space after
>>set_fs(KERNEL_DS), or if you use __get_user() and bypass
>>access_ok(). Thus the __get_user() in arch/i386/kernel/traps.c,
>>function show_registers is correct. This is the only instance I'm
>>aware of where this is used, and noone else should be doing that. It
>>fails on other archs, e.g. on sparc.
>>
>>
>
>It is used in a couple more of places in the x86-64 architecture specific
>code. Of course it is legal there too.
>
>Also there are some corner cases; e.g. some architecture specific
>code (particularly the 32bit emulations) just does access_ok or
>get_user/put_user (with implied access_ok) on the first element
>of a structure and then accesses the other elements with __*_user.
>This works because these architectures have an unmapped hole at the
>end of the user address space.
>
>
This is different bug:
- bug 1 is access user space without the functions from <asm/uaccess.h>,
or access user space after set_fs(KERNEL_DS), or access kernel space
without set_fs(KERNEL_DS).
- bug 2 is not enough access_ok() calls, e.g. __put_user without a
preceeding access_ok() check, either explicit or implicit due to an
copy_from_user().
--
Manfred
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/