Re: [PATCH] sparc: copy_from_user() should not return -EFAULT

[Arjan van de Ven]

On Tue, 05 Jan 2010 18:27:18 +0100
Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:

> Heiko Carstens <heiko.carstens@xxxxxxxxxx> writes:
> 
> > Subject: [PATCH] sparc: copy_from_user() should not return -EFAULT
> >
> > From: Heiko Carstens <heiko.carstens@xxxxxxxxxx>
> >
> > Callers of copy_from_user() expect it to return the number of bytes
> > it could not copy. In no case it is supposed to return -EFAULT.
> >
> > In case of a detected buffer overflow just return the requested
> > length. In addition one could think of a memset that would clear
> > the size of the target object.
> 
> Ouch! I would expect this is likely exploitable, e.g. in mount

yeah once you have the buffer overflow there might be another exploit
instead.. so yes needs to be fixed.



-- 
Arjan van de Ven 	Intel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/