Re: Bug : Out of range ptr error in module indicates bug in slab.c

From: Arjan van de Ven
Date: Thu Dec 30 2004 - 06:20:04 EST

Next message: Trond Myklebust: "Re: POSIX ACL's with NFS"
Previous message: selvakumar nagendran: "Bug : Out of range ptr error in module indicates bug in slab.c"
In reply to: selvakumar nagendran: "Bug : Out of range ptr error in module indicates bug in slab.c"
Next in thread: selvakumar nagendran: "Bug_reply : Out of range ptr error in module indicates bug in slab.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2004-12-30 at 02:54 -0800, selvakumar nagendran wrote:
> else {
> new -> pipe_read_end = fdes[0];
> new -> pipe_write_end = fdes[1];

this is a bug; fdes is a USERSPACE pointer, you cannot directly access
that from kernel space, you need to use copy_from_user() for that.

And note, what you are doing is unreliable, since the user is capable of
changing that information before you log it in your structure, so if you
want to use the data you log for anything security related or for
something that has to be accurate, it's broken...

> while(temp != NULL)
> {
> kfree(temp);
> temp = temp -> next;
> }

that is of course wrong; you free temp and THEN you access it!!

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Trond Myklebust: "Re: POSIX ACL's with NFS"
Previous message: selvakumar nagendran: "Bug : Out of range ptr error in module indicates bug in slab.c"
In reply to: selvakumar nagendran: "Bug : Out of range ptr error in module indicates bug in slab.c"
Next in thread: selvakumar nagendran: "Bug_reply : Out of range ptr error in module indicates bug in slab.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]