Re: CVS commit: src

To: Taylor R Campbell <campbell+netbsd-source-changes-d%mumble.net@localhost>
Subject: Re: CVS commit: src
From: Maxime Villard <max%M00nBSD.net@localhost>
Date: Mon, 21 Apr 2014 08:20:22 +0200

Le 21/04/2014 01:46, Taylor R Campbell a écrit :
> 
>    From: "Maxime Villard" <maxv%netbsd.org@localhost>
>    Date: Wed, 16 Apr 2014 18:55:20 +0000
> 
>    An (un)privileged user can easily make the kernel dereference a NULL
>    pointer.
> 
>    The kernel allows 'data' to be NULL; it's the fs's responsibility to
>    ensure that it isn't NULL (if the fs actually needs data).
> 
> In most cases of the changes you made, there is already a test for the
> length of the data buffer.  Is this not guaranteed to be zero if data
> is null?  It seems to me that the length test ought to suffice, and if
> anything the null pointer test should be an assertion, not a check.
> 

Not at all. 'data' and 'data_len' come from userpace. A user can set data
to NULL and data_len to a value high enough to bypass the data_len check.

I've already demonstrated that to security-alert@.

Follow-Ups:
- Re: CVS commit: src
  - From: Taylor R Campbell

References:
- Re: CVS commit: src
  - From: Taylor R Campbell

Prev by Date: Re: CVS commit: src
Next by Date: Re: CVS commit: src
Previous by Thread: Re: CVS commit: src
Next by Thread: Re: CVS commit: src
Indexes:

Home | Main Index | Thread Index | Old Index