On Mon, 7 Feb 2005 21:15:47 +0100
Andi Kleen <[EMAIL PROTECTED]> wrote:
> Yes, but it is done outside KERNEL_DS (otherwise it is a security hole)
> And then later in KERNEL_DS there is no verify_area.
It is done "inside" KERNEL_DS by the routines we invoke which
expect user pointers but we're giving them kernel pointers.
Example:
extern long sys_foo(char __user *buf, int len);
long compat_sys_foo(compat_uptr_t ubuf, int len)
{
char *kbuf = kmalloc(len, GFP_KERNEL);
mm_segment_t old_fs = get_fs();
int err;
if (!kbuf)
return -ENOMEM;
set_fs(KERNEL_DS);
err = sys_foo(kbuf, len);
set_fs(old_fs);
kfree(kbuf);
return err;
}
The copy_to_user() or whatever done by sys_foo() will operate within
KERNEL_DS on "kbuf" and thus the access_ok() check done via copy_to_user()
will do the proper checks for us with my proposal of valid virtual address
ranges stored in the mm_struct.
