Andrew Morton <[EMAIL PROTECTED]> wrote: > On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <[EMAIL PROTECTED]> wrote:
>> Avoid buffer overflows in get_user_pages() >> >> So I spent a while pounding my head against my monitor trying to figure >> out the vmsplice() vulnerability - how could a failure to check for >> *read* access turn into a root exploit? It turns out that it's a buffer >> overflow problem which is made easy by the way get_user_pages() is >> coded. >> >> In particular, "len" is a signed int, and it is only checked at the >> *end* of a do {} while() loop. So, if it is passed in as zero, the loop >> will execute once and decrement len to -1. At that point, the loop will >> proceed until the next invalid address is found; in the process, it will >> likely overflow the pages array passed in to get_user_pages(). [...] > Can we just convert > > do { > ... > } while (len); > > into > > while (len) { while (len > 0), if I understand this patch correctly. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/