Subject: Re: copyout and address space overflows
To: None <email@example.com>
From: Valeriy E. Ushakov <firstname.lastname@example.org>
Date: 11/16/2006 21:19:44
On Thu, Nov 16, 2006 at 18:08:15 +0100, Joerg Sonnenberger wrote:
> the current firewire ioctl bug shows an interesting difference in the
> various copyout(9) implementations. On i386 the bug doesn't exist as a
> combination of two affects protects against it:
> (1) The kernel address space is the upper half of the VM.
> (2) copuyout checks for overflows of the address space before doing any
> copying. (Aka dst + len < 0xffffffff)
May be we should get the copyin/out tests from OpenBSD?
I didn't look thoroughly, but different copyfoo employ different
checks and it's worthwhile to make the do the same thing (and verify
> I don't think we have any platforms which doesn't do (1), but Martin
> suggested that Sparc doesn't do (2). The question is, do we want to do
> that in general? The check should be quite cheap and protect against
> passing negative integers as len.
sparc64 uses separate kernel VA (and Jason mentioned m68k situation
earlier in the thread).
email@example.com | Zu Grunde kommen
http://snark.ptc.spbu.ru/~uwe/ | Ist zu Grunde gehen