Subject: Re: copyout and address space overflows
To: None <tech-kern@netbsd.org>
From: Valeriy E. Ushakov <uwe@ptc.spbu.ru>
List: tech-kern
Date: 11/16/2006 21:19:44
On Thu, Nov 16, 2006 at 18:08:15 +0100, Joerg Sonnenberger wrote:

> the current firewire ioctl bug shows an interesting difference in the
> various copyout(9) implementations. On i386 the bug doesn't exist as a
> combination of two affects protects against it:
> (1) The kernel address space is the upper half of the VM.
> (2) copuyout checks for overflows of the address space before doing any
> copying. (Aka dst + len < 0xffffffff)

May be we should get the copyin/out tests from OpenBSD?

    http://www.openbsd.org/cgi-bin/cvsweb/src/regress/sys/copy/

I didn't look thoroughly, but different copyfoo employ different
checks and it's worthwhile to make the do the same thing (and verify
it).

> I don't think we have any platforms which doesn't do (1), but Martin
> suggested that Sparc doesn't do (2). The question is, do we want to do
> that in general? The check should be quite cheap and protect against
> passing negative integers as len.

sparc64 uses separate kernel VA (and Jason mentioned m68k situation
earlier in the thread).


SY, Uwe
-- 
uwe@ptc.spbu.ru                         |       Zu Grunde kommen
http://snark.ptc.spbu.ru/~uwe/          |       Ist zu Grunde gehen