Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)

• Next message: Tim Wright: "Re: VM subsystem bug in 2.4.0 ?"
• Previous message: Alan Cox: "Re: Anybody got 2.4.0 running on a 386 ?"
• In reply to: Alexander Viro: "Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)"
• Next in thread: Alexander Viro: "Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)"
• Reply: Alexander Viro: "Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, January 10, 2001 12:47:17 AM -0500 Alexander Viro
<viro@math.psu.edu> wrote:

> However, actual code really looks like the end of filldir(). If that's the
> case we are deep in it - argument of filldir() gets screwed. buf, that is.
> Since it happens after we've already done dereferencing of buf in
> filldir() and we don't trigger them... Fsck knows. copy_to_user() and
> put_user() should not be able to screw the kernel stack.
>
In filldir, I don't like the line where we ((char *)dirent += reclen ; If
reclen is much larger than the buffer sent from userspace, I don't see how
we stay in bounds.

-chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Tim Wright: "Re: VM subsystem bug in 2.4.0 ?"
• Previous message: Alan Cox: "Re: Anybody got 2.4.0 running on a 386 ?"
• In reply to: Alexander Viro: "Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)"
• Next in thread: Alexander Viro: "Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)"
• Reply: Alexander Viro: "Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE Linux)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jan 15 2001 - 21:00:27 EST