On Wednesday, January 10, 2001 12:47:17 AM -0500 Alexander Viro <[EMAIL PROTECTED]> wrote: > However, actual code really looks like the end of filldir(). If that's the > case we are deep in it - argument of filldir() gets screwed. buf, that is. > Since it happens after we've already done dereferencing of buf in > filldir() and we don't trigger them... Fsck knows. copy_to_user() and > put_user() should not be able to screw the kernel stack. > In filldir, I don't like the line where we ((char *)dirent += reclen ; If reclen is much larger than the buffer sent from userspace, I don't see how we stay in bounds. -chris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] Please read the FAQ at http://www.tux.org/lkml/
- Re: [reiserfs-list] major security bug in reiserfs (m... Chris Mason
- Re: [reiserfs-list] major security bug in reiser... David Ford
- Re: [reiserfs-list] major security bug in reiser... Alexander Viro
- Re: [reiserfs-list] major security bug in re... Chris Mason
- Re: [reiserfs-list] major security bug i... Alexander Viro
- Re: [reiserfs-list] major security b... Chris Mason
- Re: [reiserfs-list] major secur... Alexander Viro
- Re: [reiserfs-list] major security bug in re... Andrea Arcangeli
- Re: [reiserfs-list] major security bug in reiser... Vladimir V. Saveliev
- Re: [reiserfs-list] major security bug in re... Chris Mason
- Re: [reiserfs-list] major security bug i... Vladimir V. Saveliev
- Re: [reiserfs-list] major security bug in re... Stefan Traby
- Re: [reiserfs-list] major security bug i... Stefan Traby
- Re: [reiserfs-list] major security bug in reiser... Chris Mason
