Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 18 Apr 2001 09:11:46 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 18 Apr 2001 09:11:26 -0400 Received: from ferret.lmh.ox.ac.uk ([163.1.18.131]:48399 "HELO ferret.lmh.ox.ac.uk") by vger.kernel.org with SMTP id ; Wed, 18 Apr 2001 09:11:24 -0400 Date: Wed, 18 Apr 2001 14:11:20 +0100 (BST) From: Chris Evans To: Russell King cc: David Schleef , Dawson Engler , Subject: Re: [CHECKER] copy_*_user length bugs? In-Reply-To: <20010418140059.A442@flint.arm.linux.org.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 18 Apr 2001, Russell King wrote: > > Now, providing the malicious user passes a low user space pointer (e.g. > > just above 0), the kernel's virtual address space wrap check will not > > trigger because ~0 + ~2Gb does not exceed 4G. And the result is the user > > being able to read kernel memory. > > But ~0 + ~2GB = ~2GB. Last time I checked, ~2GB is less than 3GB, and 3GB > is the start of kernel memory on x86. Therefore, I don't see that the > user will be able to read kernel memory. The problem is that (up to) a 2Gb copy is attempted into userspace. The source is a kernel object which is not 2Gb large! So, we read off the end of some kernel object, and there is often something very interesting after it ;-) For a good real-world example, please see my Bugtraq post regarding sysctl(): http://www.securityfocus.com/archive/1/161764 Cheers Chris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/