On Tue, 29 Jul 2014 18:25:57 -0400 (EDT)
Abhijith Das <[email protected]> wrote:
> > > + if ((xc->xc_xattr_mask & XSTAT_XATTR_ALL) &&
> > > + lxd->xd_blob.xb_xattr_count) {
> >
> > How can that be right? lxd is __user, it doesn't seem right to be
> > dereferencing it directly...?
>
> Wouldn't the call to access_ok() at the start of the syscall take care of
> this? All the
> __user pointers point to areas within the user supplied buffer buf and
> overflow past the
> end of the buffer for the last lxd is checked for.
No, dereferencing user-space pointers in the kernel is never OK. What
if user space remapped that page after the access_ok() call? You need
to use copy_*_user() to get at user-space structures from the kernel.
jon
