Re: [CHECKER] Probable Security Errors in 2.4.12-ac3

• Next message: Jonathan Morton: "Re: The new X-Kernel !"
• Previous message: Christoph Rohland: "Re: Kernel Compile in tmpfs crumples in 2.4.12 w/epoll patch"
• In reply to: Ken Ashcraft: "[CHECKER] Probable Security Errors in 2.4.12-ac3"
• Next in thread: Ken Ashcraft: "Re: [CHECKER] Probable Security Errors in 2.4.12-ac3"
• Reply: Ken Ashcraft: "Re: [CHECKER] Probable Security Errors in 2.4.12-ac3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "Ken Ashcraft" <kash@stanford.edu>
> [BUG] minor, loops on len
> /home/kash/linux/2.4.12/ipc/msg.c:788:sys_msgrcv: ERROR:RANGE:756:788: Using user length "msgsz" as argument to "store_msg"
[type=GLOBAL] [state = need_ub] set by 'user-originated parameter':756 [distance=81]
>
> ss_wakeup(&msq->q_senders,0);
> msg_unlock(msqid);
> out_success:
> msgsz = (msgsz > msg->m_ts) ? msg->m_ts : msgsz;
> if (put_user (msg->m_type, &msgp->mtype) ||
> Error --->
> store_msg(msgp->mtext, msg, msgsz)) {
> msgsz = -EFAULT;
> }
> free_msg(msg);

That's not a bug:
* msgsz is limited to msg->m_ts (2 lines above store_msg)
* msg->m_ts is set by sys_msgsnd to msgsz, and that function rejects messages longer than msg_ctlmax.

--
    Manfred
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

• Next message: Jonathan Morton: "Re: The new X-Kernel !"
• Previous message: Christoph Rohland: "Re: Kernel Compile in tmpfs crumples in 2.4.12 w/epoll patch"
• In reply to: Ken Ashcraft: "[CHECKER] Probable Security Errors in 2.4.12-ac3"
• Next in thread: Ken Ashcraft: "Re: [CHECKER] Probable Security Errors in 2.4.12-ac3"
• Reply: Ken Ashcraft: "Re: [CHECKER] Probable Security Errors in 2.4.12-ac3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Oct 23 2001 - 21:00:27 EST