On Nov 16, 2006, at 9:08 AM, Joerg Sonnenberger wrote:

> Hi all,
> the current firewire ioctl bug shows an interesting difference in the
> various copyout(9) implementations. On i386 the bug doesn't exist as a
> combination of two affects protects against it:
> (1) The kernel address space is the upper half of the VM.
> (2) copuyout checks for overflows of the address space before doing  
> any
> copying. (Aka dst + len < 0xffffffff)
>
> I don't think we have any platforms which doesn't do (1),

m68k platforms based on the Hibler pmap (i.e. all of them but sun2/ 
sun3/sun3x) have completely separate 32-bit address spaces for kernel  
and user space.

-- thorpej