Hi!
> > From: Manfred Spraul <manfred@colorfullife.com>
> > Date: Tue, 06 Aug 2002 11:17:33 +0200
> >
> > > - printk("No.\n");
> > > + printk("No (that's security hole).\n");
> > > #ifdef CONFIG_X86_WP_WORKS_OK
> >
> > Could you explain the hole?
> > WP works for user space apps, only ring0 (or ring 0-2?) code
> > ignores the WP bit on i386.
> >
> >So copy_to_user() could write to user areas that are write-proteced.
> >
> >verify_area() checks aren't enough, consider a threaded application
> >calling mprotect() while the copy is in progress.
> Then we should either fix copy_to_user(), or mark 80386 unsupported, or
> disable multi-threading on 80386. It's a random memory corruption, far
> worse than a security hole.
Fortunately app has to be seriously missbehaving for this to happen. Fixing
copy_to_user would be nicest; I do not think dropping 386 because of *this*
is good idea... [But it might force 386 users to fix copy_to_user ;-)]
Pavel
-- Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt, details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Aug 23 2002 - 22:00:18 EST