On Fri, 2005-08-05 at 12:56 +0200, Roman Zippel wrote: > Hi, > > On Fri, 5 Aug 2005, Arjan van de Ven wrote: > > > > > we've had a non-negliable amount of security holes because of this > > > > > > So why don't we have a similiar kmalloc()? > > > > nope kmalloc is not an array allocator > > > > > > it makes it easy and safe. Of course you can and should check it in all > > > > users. Just that using a safer API is generally better than forcing > > > > everyone to do it themselves. > > > > > > How exactly does this make it a "safe API"? Even if it checks for this > > > one > > > case, it still makes the user suspectible for allocating big amounts of > > > unswappable memory. > > > > 128Kb max. > > You completely missed the point and didn't answer my questions at all... :-(
I found it hard to understand your question. Maybe it helps if I give the basic bug scenario first (pseudo C) void some_ioctl_func(...) { int count, i; struct foo *ptr; copy_from_user(&count,...); ptr = kmalloc(sizeof(struct foo) * count); if (!ptr) return -ENOMEM; for (i=0; i<count; i++) { initialize(ptr+i); } } if the user picks count such that the multiplication overflows, the kmalloc will actually *succeed* in getting a chunk between 0 and 128Kb. The subsequent "fill the array up" will overwrite a LOT of kernel memory though. Fixing the hole of course involves checking "count" for too high a value. Using kcalloc() will check for this same overflow inside kcalloc and prevent it (eg return NULL) if one of these slips through. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/