Chris Evans <[EMAIL PROTECTED]> writes:
|> To justify this, consider if len were set to minus 2 billion. This will
|> pass the sanity check, and pass the value straight on to copy_to_user. The
|> copy_to_user parameter is unsigned, so this value because approximately
|> +2Gb.
|>
|> Now, providin
On Wed, 18 Apr 2001, Russell King wrote:
> > Now, providing the malicious user passes a low user space pointer (e.g.
> > just above 0), the kernel's virtual address space wrap check will not
> > trigger because ~0 + ~2Gb does not exceed 4G. And the result is the user
> > being able to read kerne
On Wed, Apr 18, 2001 at 12:14:56PM +0100, Chris Evans wrote:
> To justify this, consider if len were set to minus 2 billion. This will
> pass the sanity check, and pass the value straight on to copy_to_user. The
> copy_to_user parameter is unsigned, so this value because approximately
> +2Gb.
For
On Tue, 17 Apr 2001, Dawson Engler wrote:
> Hi All,
>
> at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
> checker to warn when the length parameter to copy_*_user was (1) an
> integer and (2) not checked < 0.
>
> As an example, the ipv6 routine rawv6_geticmpfilter gets an in
On Wed, 18 Apr 2001, David Schleef wrote:
> On Tue, Apr 17, 2001 at 09:39:15PM -0700, Dawson Engler wrote:
> > Hi All,
> >
> > at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
> > checker to warn when the length parameter to copy_*_user was (1) an
> > integer and (2) not checked <
On Tue, Apr 17, 2001 at 09:39:15PM -0700, Dawson Engler wrote:
> Hi All,
>
> at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
> checker to warn when the length parameter to copy_*_user was (1) an
> integer and (2) not checked < 0.
>
> As an example, the ipv6 routine rawv6_geti
Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked < 0.
As an example, the ipv6 routine rawv6_geticmpfilter gets an integer 'len'
from user space, checks that it is smaller th
7 matches
Mail list logo