Chris Evans <[EMAIL PROTECTED]> writes:
|> To justify this, consider if len were set to minus 2 billion. This will
|> pass the sanity check, and pass the value straight on to copy_to_user. The
|> copy_to_user parameter is unsigned, so this value because approximately
|> +2Gb.
|>
|> Now,
On Wed, 18 Apr 2001, Russell King wrote:
> > Now, providing the malicious user passes a low user space pointer (e.g.
> > just above 0), the kernel's virtual address space wrap check will not
> > trigger because ~0 + ~2Gb does not exceed 4G. And the result is the user
> > being able to read
On Wed, Apr 18, 2001 at 12:14:56PM +0100, Chris Evans wrote:
> To justify this, consider if len were set to minus 2 billion. This will
> pass the sanity check, and pass the value straight on to copy_to_user. The
> copy_to_user parameter is unsigned, so this value because approximately
> +2Gb.
On Tue, 17 Apr 2001, Dawson Engler wrote:
> Hi All,
>
> at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
> checker to warn when the length parameter to copy_*_user was (1) an
> integer and (2) not checked < 0.
>
> As an example, the ipv6 routine rawv6_geticmpfilter gets an
On Wed, 18 Apr 2001, David Schleef wrote:
> On Tue, Apr 17, 2001 at 09:39:15PM -0700, Dawson Engler wrote:
> > Hi All,
> >
> > at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
> > checker to warn when the length parameter to copy_*_user was (1) an
> > integer and (2) not checked
On Tue, Apr 17, 2001 at 09:39:15PM -0700, Dawson Engler wrote:
> Hi All,
>
> at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
> checker to warn when the length parameter to copy_*_user was (1) an
> integer and (2) not checked < 0.
>
> As an example, the ipv6 routine
On Tue, Apr 17, 2001 at 09:39:15PM -0700, Dawson Engler wrote:
Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked 0.
As an example, the ipv6 routine
On Wed, 18 Apr 2001, David Schleef wrote:
On Tue, Apr 17, 2001 at 09:39:15PM -0700, Dawson Engler wrote:
Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked 0.
As
On Tue, 17 Apr 2001, Dawson Engler wrote:
Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked 0.
As an example, the ipv6 routine rawv6_geticmpfilter gets an integer
On Wed, Apr 18, 2001 at 12:14:56PM +0100, Chris Evans wrote:
To justify this, consider if len were set to minus 2 billion. This will
pass the sanity check, and pass the value straight on to copy_to_user. The
copy_to_user parameter is unsigned, so this value because approximately
+2Gb.
For
On Wed, 18 Apr 2001, Russell King wrote:
Now, providing the malicious user passes a low user space pointer (e.g.
just above 0), the kernel's virtual address space wrap check will not
trigger because ~0 + ~2Gb does not exceed 4G. And the result is the user
being able to read kernel
Chris Evans [EMAIL PROTECTED] writes:
| To justify this, consider if len were set to minus 2 billion. This will
| pass the sanity check, and pass the value straight on to copy_to_user. The
| copy_to_user parameter is unsigned, so this value because approximately
| +2Gb.
|
| Now, providing the
Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked < 0.
As an example, the ipv6 routine rawv6_geticmpfilter gets an integer 'len'
from user space, checks that it is smaller
Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked 0.
As an example, the ipv6 routine rawv6_geticmpfilter gets an integer 'len'
from user space, checks that it is smaller
14 matches
Mail list logo