Hi Jerry and Dan,
Sorry for the late reply. I looked at this issue again and found
that simple patches like memcmp(buf, in_env, in_len) &&
memcmp(buf + in_len, out_env, out_len) will only work
in the case of (cmd == ND_CMD_CALL) and does not apply
to other cmd.
In fact, I fail to find a patch
Hi Jerry,
Thank you for the question. Yes, these double copies
do seem to present an issue.
__nd_ioctl() and acpi_nfit_ctl() both use the same way
to derive `out_size`, but based on different data fetches.
A simple patch would be
memcmp(buf, in_env, in_len)
memcmp(buf + in_len, out_env, out_len
On Thu, Aug 31, 2017 at 03:42:52PM -0700, Dan Williams wrote:
> [ adding Jerry ]
>
> On Wed, Aug 23, 2017 at 2:07 PM, Meng Xu wrote:
> > From: Meng Xu
> >
> > While examining the kernel source code, I found a dangerous operation that
> > could turn into a double-fetch situation (a race condition
Hi Dan,
I have adjusted the patch as suggested by moving the check
on nd_reserved2 to acpi_nfit_ctl(). The new patch can be found
at https://marc.info/?l=linux-kernel&m=150453930712916&w=2
Best Regards,
Meng
On 08/31/2017 06:42 PM, Dan Williams wrote:
[ adding Jerry ]
On Wed, Aug 23, 2017 at
[ adding Jerry ]
On Wed, Aug 23, 2017 at 2:07 PM, Meng Xu wrote:
> From: Meng Xu
>
> While examining the kernel source code, I found a dangerous operation that
> could turn into a double-fetch situation (a race condition bug) where
> the same userspace memory region are fetched twice into kernel
From: Meng Xu
While examining the kernel source code, I found a dangerous operation that
could turn into a double-fetch situation (a race condition bug) where
the same userspace memory region are fetched twice into kernel with sanity
checks after the first fetch while missing checks after the sec
6 matches
Mail list logo
