On Thu, Nov 16, 2006 at 03:04:55PM -0800, Jason Thorpe wrote:
> 
> On Nov 16, 2006, at 1:39 PM, Joerg Sonnenberger wrote:
> 
> >Hm. We could place a reservation at the 31bit boundary and check that
> >the input for copyout does not cross it or wrap around, which is a
> >generalised version of what i386 implicitly does with the userspace
> >limit check.
> 
> Not easily, nor would such an artificial limitation be worth it, IMO.

It is not really a limitation. The whole address space is still useable,
it just allows catching bogus copyouts which are possible exploits.
Checking len for a large value would be another option, of course. I'd
just like to see at least some possible protection on place :-)

Joerg