This has come up before, and as you noticed nothing in that header is looked at
after that second copy.
Also if the user space cache manager was trying to be malicious it wouldn't
have to resort to multi-threaded race conditions. It could make a setuid root
shell appear, or many other things a
"hdr" has been copied in from user space and "hdr.opcode" is checked.
The code copies it again. User space data between the two copies is
subject to modification if the user-space code is multithreaded and
malicious. The modification may invalidate the check. In the original
code, "hdr.opcode" is n
2 matches
Mail list logo
