Re: [CHECKER] pcmcia user-pointer dereference

Alan Cox (alan@lxorguk.ukuu.org.uk)
30 May 2003 11:10:23 +0100


On Iau, 2003-05-29 at 22:11, Hollis Blanchard wrote:
> I contacted David Hinds about this; the behavior is by design. User
> space passes in a pointer to a kernel data structure, and the kernel
> verifies it by checking a magic number in that structure.
>
> It seems possible to perform some activity from user space to get the
> magic number into (any) kernel memory, then iterate over kernel space
> by passing pointers to the pcmcia ds_ioctl() until you manage to
> corrupt something. But I'm not really a security guy...

That isnt safe - the pointer dereference could hit anything

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/