Re: [SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?

David S. Miller (davem@redhat.com)
Sun, 4 Jul 1999 17:40:55 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrea Arcangeli: "Re: The stability crisis"
Previous message: Horst von Brand: "Re: Are there kernel testing suites out there? We need them."
Maybe in reply to: Chris Evans: "[SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?"

Date: Mon, 5 Jul 1999 01:02:05 +0100 (GMT)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>

The problem is signed/unsigned conversion. The "len" arg to
ptrace_writedata is signed int, so as a user I set it to -1. The
length check only checks for exceeding the buffer size; -1 passes
the check. When we pass -1 to copy_from_user, it is converted to
unsigned, i.e. ~4Gb ;-)

Thanks, these two functions need to be extern declared in a header
file too, I'll submit fixes for both problems to Linus.

Later,
David S. Miller
davem@redhat.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: The stability crisis"
Previous message: Horst von Brand: "Re: Are there kernel testing suites out there? We need them."
Maybe in reply to: Chris Evans: "[SECURITY] - 2.3.10p3 ptrace introduces kernel buffer overflow?"