Le 21/04/2014 01:46, Taylor R Campbell a écrit : > > From: "Maxime Villard" <m...@netbsd.org> > Date: Wed, 16 Apr 2014 18:55:20 +0000 > > An (un)privileged user can easily make the kernel dereference a NULL > pointer. > > The kernel allows 'data' to be NULL; it's the fs's responsibility to > ensure that it isn't NULL (if the fs actually needs data). > > In most cases of the changes you made, there is already a test for the > length of the data buffer. Is this not guaranteed to be zero if data > is null? It seems to me that the length test ought to suffice, and if > anything the null pointer test should be an assertion, not a check. >
Not at all. 'data' and 'data_len' come from userpace. A user can set data to NULL and data_len to a value high enough to bypass the data_len check. I've already demonstrated that to security-alert@.
