Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

From: Chris Mason (mason@suse.com)
Date: Wed Jan 10 2001 - 10:48:57 EST


On Wednesday, January 10, 2001 12:47:17 AM -0500 Alexander Viro
<viro@math.psu.edu> wrote:

> However, actual code really looks like the end of filldir(). If that's the
> case we are deep in it - argument of filldir() gets screwed. buf, that is.
> Since it happens after we've already done dereferencing of buf in
> filldir() and we don't trigger them... Fsck knows. copy_to_user() and
> put_user() should not be able to screw the kernel stack.
>
In filldir, I don't like the line where we ((char *)dirent += reclen ; If
reclen is much larger than the buffer sent from userspace, I don't see how
we stay in bounds.

-chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Jan 15 2001 - 21:00:27 EST