copy_from_user

Paul Mackerras (paulus@samba.org)
Wed, 18 Jun 2003 16:50:23 +1000


Some time ago (in the 2.1 series IIRC) we added code to copy_from_user
to zero the remainder of the destination buffer if we faulted on the
source. The motive was to eliminate some potential security holes
that could arise if callers didn't check the return value from
copy_from_user and continued on to pass the contents of the
destination buffer back to userspace in one way or another.

However, I notice that copy_from_user on i386 in 2.5 doesn't clear the
destination if the access_ok() check fails, or if the size is 1, 2 or
4. Have all the callers of copy_from_user been checked? Is the
zeroing of the destination no longer necessary?

Thanks,
Paul.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/