On Wed, May 16, 2007 at 10:56:22PM -0600, sk b wrote: > > Hello, > > I'm wondering whether there is an exploitable TOCTTOU race condition in the > way user pointers are handled in the kernel. Consider the following code: > > 1: struct st { int *u; }; > 2: void syscall(struct st * stp) { > 3: if (!access_ok(VERIFY_READ,stp,sizeof(struct st))) > 4: return; > 5: if (!access_ok(VERIFY_WRITE,stp->u,sizeof(int)))
... and there's your bug - direct access to userland data. The normal variant is to use accessors (get_user() or copy_from_user()) to fetch the value of stp->u. At which point races of the kind you mentioned take an obviously dumb code (explicitly copying the same struct from userland _twice_). - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/