On Tue, 19 Sep 2017 15:54:22 +0200,
Meng Xu wrote:
>
> Hi Takashi,
>
> Thanks for the reply. In my opinion, many security issues
> are in fact unhandled corner cases and this could be one.
>
> In the first fetch, get_user(hm->h.size, (u16 __user *)puhm),
> only 2 bytes from puhm are copied in an
Hi Takashi,
Thanks for the reply. In my opinion, many security issues
are in fact unhandled corner cases and this could be one.
In the first fetch, get_user(hm->h.size, (u16 __user *)puhm),
only 2 bytes from puhm are copied in and later it is ensured
that hm->h.size (which is also hm->m0.size gi
On Tue, 19 Sep 2017 07:21:56 +0200,
Meng Xu wrote:
>
> The hm->h.size is intended to hold the actual size of the hm struct
> that is copied from userspace and should always be <= sizeof(*hm).
>
> However, after copy_from_user(hm, puhm, hm->h.size), since userspace
> process has full control over
The hm->h.size is intended to hold the actual size of the hm struct
that is copied from userspace and should always be <= sizeof(*hm).
However, after copy_from_user(hm, puhm, hm->h.size), since userspace
process has full control over the memory region pointed by puhm, it is
possible that the value
4 matches
Mail list logo
