On Wed, May 15, 2002 at 01:23:52PM -0700, Bill Studenmund wrote:
> On Wed, 15 May 2002, David Laight wrote:
> 
> > On Wed, May 15, 2002 at 12:44:52PM -0700, Bill Studenmund wrote:
> > > Probably. i386 has a shared-address space; the kernel is mapped into the
> > > top of each process's address space. So the addresses were valid, and
> > > vmware probably ignored the not-user-space check.
> >
> > In that case it is particularly broken!
> > Definitely a serious security problem.....
> 
> Not necessarily, but maybe. The problem here is the kernel happily reading
> from or writing to kernel pages with code that should complain. To be a
> security problem, user code would need to be able to read/write kernel
> pages. That's a different problem, which isn't part of this thread so far.

So do a write() with a kernel address.....
Shouldn't complain until you get to copyin().
There is a strong inference that a user could dump kernel memory.

	David

-- 
David Laight: david@l8s.co.uk