anyone fixing copy_from_user() ?

Andrew Tridgell (tridge@samba.anu.edu.au)
Thu, 20 Aug 1998 15:20:04 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Fuzzy Fox: "Re: 2.1.115 and Cyrix detection"
Previous message: Conde Martinez Rodolfo: "2.1.116 and SB AWE 64"

Is anyone working on fixing copy_from_user() on intel? I just tried
2.1.116 and noticed that the security hole I reported a few months
back is still there. I'd fix it myself, but I'm not competent with
intel assembler.

Basically, copy_from_user() needs to be fixed to zero any memory that
is not copied. Otherwise any calls that don't check the return code
may allow a user to get at memory they shouldn't have access to.

For a demonstration of how to get at lots of memory try
ftp://samba.anu.edu.au/pub/tridge/misc/memdump.c and then look at the
resulting mem.dat. It goes through memory one page at a time (forcing
paging via mmap on the way) and ends up getting a fair bit of
memory. I'm sure you could get all pageable memory with a bit of
effort.

My original patch fixed this by patching fs/pipe.c for that specific
case, but Linus wanted to defer that till copy_from_user() was
fixed. Anyone want to fix it?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html

Next message: Fuzzy Fox: "Re: 2.1.115 and Cyrix detection"
Previous message: Conde Martinez Rodolfo: "2.1.116 and SB AWE 64"