I could be wrong, but it looks like 2.3.10p3 has a kernel mode buffer
overflow. Luckily it will only affect sparc - the only arch to use the new
"ptrace_writedata" function.
The problem is signed/unsigned conversion. The "len" arg to
ptrace_writedata is signed int, so as a user I set it to -1. The length
check only checks for exceeding the buffer size; -1 passes the check.
When we pass -1 to copy_from_user, it is converted to unsigned, i.e. ~4Gb
;-)
These subtle signed/unsigned conversions crop up time and time again :-/
Chris
PS. The corresponding ptrace read function looks similarly affected.
+int ptrace_writedata(struct task_struct *tsk, char * src, unsigned long
dst, int len)
+{
+ int copied = 0;
+ while (len) {
+ char buf[128];
+ int this_len, retval;
+
+ this_len = (len > sizeof(buf)) ? sizeof(buf) : len;
+ if (copy_from_user(buf, src, this_len))
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/