Subject: copyout and address space overflows
To: None <>
From: Joerg Sonnenberger <>
List: tech-kern
Date: 11/16/2006 18:08:15
Hi all,
the current firewire ioctl bug shows an interesting difference in the
various copyout(9) implementations. On i386 the bug doesn't exist as a
combination of two affects protects against it:
(1) The kernel address space is the upper half of the VM.
(2) copuyout checks for overflows of the address space before doing any
copying. (Aka dst + len < 0xffffffff)

I don't think we have any platforms which doesn't do (1), but Martin
suggested that Sparc doesn't do (2). The question is, do we want to do
that in general? The check should be quite cheap and protect against
passing negative integers as len.