On Thu, Aug 20, 1998 at 03:20:04PM +1000, Andrew Tridgell wrote:
> Is anyone working on fixing copy_from_user() on intel? I just tried
> 2.1.116 and noticed that the security hole I reported a few months
> back is still there. I'd fix it myself, but I'm not competent with
> intel assembler.
I consider the hole as a rather serious.
>
> Basically, copy_from_user() needs to be fixed to zero any memory that
> is not copied. Otherwise any calls that don't check the return code
> may allow a user to get at memory they shouldn't have access to.
If I understand you right it was suggested to clear the rest of the destination
space if copy_from_user() failed to copy data of the requested length?
>
> For a demonstration of how to get at lots of memory try
> ftp://samba.anu.edu.au/pub/tridge/misc/memdump.c and then look at the
> resulting mem.dat. It goes through memory one page at a time (forcing
> paging via mmap on the way) and ends up getting a fair bit of
> memory. I'm sure you could get all pageable memory with a bit of
> effort.
>
> My original patch fixed this by patching fs/pipe.c for that specific
> case, but Linus wanted to defer that till copy_from_user() was
> fixed. Anyone want to fix it?
I'll try to do it.
Best wishes
Andrey V.
Savochkin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html