Re: copy_from_user

Andrew Morton (akpm@digeo.com)
Wed, 18 Jun 2003 00:31:10 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrew Morton: "Re: 2.5.70-mm9"
Previous message: Per Nystrom: "Re: PROBLEM: 2.4.21 crashes hard running cdrecord in X."
Next in thread: Paul Mackerras: "Re: copy_from_user"
Reply: Paul Mackerras: "Re: copy_from_user"

Paul Mackerras <paulus@samba.org> wrote:
>
> Some time ago (in the 2.1 series IIRC) we added code to copy_from_user
> to zero the remainder of the destination buffer if we faulted on the
> source. The motive was to eliminate some potential security holes
> that could arise if callers didn't check the return value from
> copy_from_user and continued on to pass the contents of the
> destination buffer back to userspace in one way or another.
>
> However, I notice that copy_from_user on i386 in 2.5 doesn't clear the
> destination if the access_ok() check fails,

This was not deliberate - the memset simply got lost.

It is simple enough to fix. Do we remember the details of the
security hole?

> or if the size is 1, 2 or 4.

This one is OK - __get_user_asm() does the zeroing in the fixup code.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: 2.5.70-mm9"
Previous message: Per Nystrom: "Re: PROBLEM: 2.4.21 crashes hard running cdrecord in X."
Next in thread: Paul Mackerras: "Re: copy_from_user"
Reply: Paul Mackerras: "Re: copy_from_user"