Date: Thu, 28 Oct 2004 03:04:57 -0700 (PDT)
From: Sorav Bansal <sbansal@stanford.edu>
To: Andrew Morton <akpm@osdl.org>
cc: tacetan@yahoo.com, <linux-kernel@vger.kernel.org>
Subject: Re: BUG REPORT: User/Kernel Pointer bug in sys_poll
In-Reply-To: <20041028024839.6a1e1064.akpm@osdl.org>
Message-ID: <Pine.GSO.4.44.0410280255040.14448-100000@elaine37.Stanford.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1218
Lines: 33


> Nope.  The only significant difference between copy_from_user() and
> __put_user() here is that copy_from_user() checks that the address is not
> in the 0xc0000000-0xffffffff range.  __put_user() skips that check.

This is true for modern x86 architectures.

For some older 386's, where Write-Protect does not work okay, there is a
difference between put_user() and copy_from_user(). put_user() performs an
extra check called verify_write() in addition to checking the address
range. Hence, the following code may be unsafe when running on those
machines.

> So
>
> 	if (copy_from_user(kaddr, addr, n))
> 		fail();
> 	__put_user(42, addr);
>
> is safe.  We know that the address is in the 0x00000000-0xbfffffff range by
> the time we call __put_user().  And if the page at *addr it not writeable
> the kernel will take a fault.

In older 386's, the kernel will NOT take a fault and write to the
write-protected region.

But then, maybe 386 is too old to worry about :-)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/