David S. Miller wrote:
> From: Manfred Spraul <manfred@colorfullife.com>
> Date: Tue, 06 Aug 2002 11:17:33 +0200
>
> > - printk("No.\n");
> > + printk("No (that's security hole).\n");
> > #ifdef CONFIG_X86_WP_WORKS_OK
>
> Could you explain the hole?
> WP works for user space apps, only ring0 (or ring 0-2?) code
> ignores the WP bit on i386.
>
>So copy_to_user() could write to user areas that are write-proteced.
>
>verify_area() checks aren't enough, consider a threaded application
>calling mprotect() while the copy is in progress.
>
>
Then we should either fix copy_to_user(), or mark 80386 unsupported, or
disable multi-threading on 80386. It's a random memory corruption, far
worse than a security hole.
-- Manfred- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Aug 07 2002 - 22:00:30 EST