Date: Tue, 05 Jan 2010 12:47:42 -0800 (PST)
Message-Id: <20100105.124742.244214607.davem@davemloft.net>
To: andi@firstfloor.org
Cc: heiko.carstens@de.ibm.com, arjan@infradead.org, arnd@arndb.de,
       mingo@elte.hu, akpm@linux-foundation.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] sparc: copy_from_user() should not return -EFAULT
From: David Miller <davem@davemloft.net>
In-Reply-To: <87skakbgy1.fsf@basil.nowhere.org>
References: <20100105053117.6a7c3377@infradead.org>
	<20100105152215.GD5480@osiris.boeblingen.de.ibm.com>
	<87skakbgy1.fsf@basil.nowhere.org>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1033
Lines: 26

From: Andi Kleen <andi@firstfloor.org>
Date: Tue, 05 Jan 2010 18:27:18 +0100

> Heiko Carstens <heiko.carstens@de.ibm.com> writes:
> 
>> Subject: [PATCH] sparc: copy_from_user() should not return -EFAULT
>>
>> From: Heiko Carstens <heiko.carstens@de.ibm.com>
>>
>> Callers of copy_from_user() expect it to return the number of bytes
>> it could not copy. In no case it is supposed to return -EFAULT.
>>
>> In case of a detected buffer overflow just return the requested
>> length. In addition one could think of a memset that would clear
>> the size of the target object.
> 
> Ouch! I would expect this is likely exploitable, e.g. in mount

You can rest easy as the problem only exists in 2.6.33-rcX, it got
introduced when I ported over the compile time length validation bits
from x86.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/