Re: copy_from_user

From: Andrew Morton (
Date: Wed Jun 18 2003 - 02:31:10 EST

Paul Mackerras <> wrote:
> Some time ago (in the 2.1 series IIRC) we added code to copy_from_user
> to zero the remainder of the destination buffer if we faulted on the
> source. The motive was to eliminate some potential security holes
> that could arise if callers didn't check the return value from
> copy_from_user and continued on to pass the contents of the
> destination buffer back to userspace in one way or another.
> However, I notice that copy_from_user on i386 in 2.5 doesn't clear the
> destination if the access_ok() check fails,

This was not deliberate - the memset simply got lost.

It is simple enough to fix. Do we remember the details of the
security hole?

> or if the size is 1, 2 or 4.

This one is OK - __get_user_asm() does the zeroing in the fixup code.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Jun 23 2003 - 22:00:23 EST