Subject: Re: copyout and address space overflows
To: None <>
From: Valeriy E. Ushakov <>
List: tech-kern
Date: 11/16/2006 21:19:44
On Thu, Nov 16, 2006 at 18:08:15 +0100, Joerg Sonnenberger wrote:

> the current firewire ioctl bug shows an interesting difference in the
> various copyout(9) implementations. On i386 the bug doesn't exist as a
> combination of two affects protects against it:
> (1) The kernel address space is the upper half of the VM.
> (2) copuyout checks for overflows of the address space before doing any
> copying. (Aka dst + len < 0xffffffff)

May be we should get the copyin/out tests from OpenBSD?

I didn't look thoroughly, but different copyfoo employ different
checks and it's worthwhile to make the do the same thing (and verify

> I don't think we have any platforms which doesn't do (1), but Martin
> suggested that Sparc doesn't do (2). The question is, do we want to do
> that in general? The check should be quite cheap and protect against
> passing negative integers as len.

sparc64 uses separate kernel VA (and Jason mentioned m68k situation
earlier in the thread).

SY, Uwe
--                         |       Zu Grunde kommen          |       Ist zu Grunde gehen