Re: NGROUPS 2.6.2rc2

From: Hugh Dickins
Date: Wed Jan 28 2004 - 13:07:41 EST

Next message: Pete Zaitcev: "Re: Cset 1.1490.4.201 - dasd naming"
Previous message: H. Peter Anvin: "long long on 32-bit machines"
In reply to: Hugh Dickins: "Re: NGROUPS 2.6.2rc2"
Next in thread: Linus Torvalds: "Re: NGROUPS 2.6.2rc2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 28 Jan 2004, Hugh Dickins wrote:
> On Tue, 27 Jan 2004, Tim Hockin wrote:
> > On Tue, Jan 27, 2004 at 04:46:15PM -0800, Andrew Morton wrote:
> > > +
> > > + if (info->ngroups > TASK_SIZE/sizeof(group))
> > > + return -EFAULT;
> > > + if (!access_ok(VERIFY_WRITE, grouplist, info->ngroups * sizeof(group)))
> > > + return -EFAULT;
> > >
> > > Why are many functions playing with TASK_SIZE?
> >
> > Not sure - I thought it was maybe a paranoid check, Rusty included it in his
> > version of a similar patch a while ago.
>
> Yes, a necessary paranoid check: without it, info->ngroups * sizeof(group)
> can easily wrap to something small, and access_ok pass when it should fail.

Sorry, I should have looked further. info->ngroups is an "int", so
if this check is needed, a check for negativity (or unsigned cast)
would also be needed. But it shouldn't be needed in the copy to user
cases, and in the copy from user cases gidsetsize should be checked
much earlier, in or before groups_alloc.

Hugh

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pete Zaitcev: "Re: Cset 1.1490.4.201 - dasd naming"
Previous message: H. Peter Anvin: "long long on 32-bit machines"
In reply to: Hugh Dickins: "Re: NGROUPS 2.6.2rc2"
Next in thread: Linus Torvalds: "Re: NGROUPS 2.6.2rc2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]