On Tue, Jan 15, 2019 at 7:05 AM Kangjie Lu wrote:
>
>
>
> On Mon, Jan 14, 2019 at 5:15 AM Rafael J. Wysocki wrote:
>>
>> On Wed, Jan 9, 2019 at 9:14 AM Kangjie Lu wrote:
>> >
>> > "user_buf->length" is in user space, and copied in twice. The second
>> > copy is after it passes the security
On Wed, Jan 9, 2019 at 9:14 AM Kangjie Lu wrote:
>
> "user_buf->length" is in user space, and copied in twice. The second
> copy is after it passes the security check. If a user program races to
> change user_buf->length in user space, the data fetched in the second
> copy may invalidate the
"user_buf->length" is in user space, and copied in twice. The second
copy is after it passes the security check. If a user program races to
change user_buf->length in user space, the data fetched in the second
copy may invalidate the security check. The fix avoids the double-fetch
issue by using
3 matches
Mail list logo