Re: buffer overflow in /proc/sys/sunrpc/transports

From: Cyrill Gorcunov
Date: Sun Aug 31 2008 - 06:37:46 EST

Next message: Frans Pop: "Re: [Bug #11398] hda_intel: IRQ timing workaround is activated for card #0. Suggest a bigger bdl_pos_adj."
Previous message: Vegard Nossum: "Re: [PATCH] sunrpc - fixup userspace buffer possible overrun v2"
In reply to: Cyrill Gorcunov: "Re: buffer overflow in /proc/sys/sunrpc/transports"
Next in thread: David Wagner: "Re: buffer overflow in /proc/sys/sunrpc/transports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Cyrill Gorcunov - Sun, Aug 31, 2008 at 02:30:26PM +0400]
...
|
| |
| | 2. Is it OK to dereference *lenp directly? Is lenp a pointer into user
| | memory or kernel memory? If it points to user memory, why is it safe to
| | dereference it directly? (What about TOCTTOU bugs?) Should there be
| | some sparse annotations here to ensure the code is not dereferencing
| | user pointers directly? Later on, proc_do_xprt() also dereferences
| | *lenp and *ppos directly.

on second view: will check for TOCTTOU bug (iirc vfs layer does
latch file descriptor for these kind of operations)

|
| Not only proc_do_xprt do that so I think it's safe (check for NULL
| on highr level I suspect).
|
...

- Cyrill -
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Frans Pop: "Re: [Bug #11398] hda_intel: IRQ timing workaround is activated for card #0. Suggest a bigger bdl_pos_adj."
Previous message: Vegard Nossum: "Re: [PATCH] sunrpc - fixup userspace buffer possible overrun v2"
In reply to: Cyrill Gorcunov: "Re: buffer overflow in /proc/sys/sunrpc/transports"
Next in thread: David Wagner: "Re: buffer overflow in /proc/sys/sunrpc/transports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]