Re: [PATCH] Fix negative buffer overflow in copy_from

To:	linux-mips@linux-mips.org
Subject:	Re: [PATCH] Fix negative buffer overflow in copy_from_user
From:	Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Date:	Mon, 11 Dec 2006 13:40:24 +0900 (JST)
Cc:	ralf@linux-mips.org
In-reply-to:	<20061211.011647.41196525.anemo@mba.ocn.ne.jp>
Original-recipient:	rfc822;linux-mips@linux-mips.org
References:	<20061211.011647.41196525.anemo@mba.ocn.ne.jp>
Sender:	linux-mips-bounce@linux-mips.org

On Mon, 11 Dec 2006 01:16:47 +0900 (JST), Atsushi Nemoto <anemo@mba.ocn.ne.jp> 
wrote:
> If we passed an invalid _and_ unaligned source address to
> copy_from_user(), the fault handling code miscalculates a length of
> uncopied bytes and returns a value greater than original length.  This
> also causes an negative buffer overflow and overwrites some bytes just
> before the destination kernel buffer.
> 
> This can happen "src_unaligned" case in memcpy.S.  If the first load
> from source buffer was a LDFIRST/LDREST (L[WD][RL]) instruction, it
> raise an exception and the THREAD_BUADDR will be an aligned address so
> it will _smaller_ than its real target address.

Sorry, this is wrong!  Please ignore this patch.

In this case THREAD_BUADDR should be an _unaligned_ address.  On QEMU
THREAD_BUADDR was an _aligned_ address so it might be a QEMU bug ...

---
Atsushi Nemoto

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH] Fix negative buffer overflow in copy_from_user, Atsushi Nemoto Re: [PATCH] Fix negative buffer overflow in copy_from_user, Atsushi Nemoto <=

Previous by Date:	hwo to improve a video decoder program's timeslice, zhuzhenhua
Next by Date:	Git stuff, Ralf Baechle
Previous by Thread:	[PATCH] Fix negative buffer overflow in copy_from_user, Atsushi Nemoto
Next by Thread:	[PATCH] Fix namespace conflict between w9968cf.c on MIPS, Ralf Baechle
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: [PATCH] Fix negative buffer overflow in copy_from_user