Subject: Re: copyout and address space overflows
To: None <email@example.com>
From: Joerg Sonnenberger <firstname.lastname@example.org>
Date: 11/17/2006 00:44:55
On Thu, Nov 16, 2006 at 03:04:55PM -0800, Jason Thorpe wrote:
> On Nov 16, 2006, at 1:39 PM, Joerg Sonnenberger wrote:
> >Hm. We could place a reservation at the 31bit boundary and check that
> >the input for copyout does not cross it or wrap around, which is a
> >generalised version of what i386 implicitly does with the userspace
> >limit check.
> Not easily, nor would such an artificial limitation be worth it, IMO.
It is not really a limitation. The whole address space is still useable,
it just allows catching bogus copyouts which are possible exploits.
Checking len for a large value would be another option, of course. I'd
just like to see at least some possible protection on place :-)