[Top] [All Lists]

Re: [PATCH] Fix negative buffer overflow in copy_from_user

Subject: Re: [PATCH] Fix negative buffer overflow in copy_from_user
From: Atsushi Nemoto <>
Date: Mon, 11 Dec 2006 13:40:24 +0900 (JST)
In-reply-to: <>
Original-recipient: rfc822;
References: <>
On Mon, 11 Dec 2006 01:16:47 +0900 (JST), Atsushi Nemoto <> 
> If we passed an invalid _and_ unaligned source address to
> copy_from_user(), the fault handling code miscalculates a length of
> uncopied bytes and returns a value greater than original length.  This
> also causes an negative buffer overflow and overwrites some bytes just
> before the destination kernel buffer.
> This can happen "src_unaligned" case in memcpy.S.  If the first load
> from source buffer was a LDFIRST/LDREST (L[WD][RL]) instruction, it
> raise an exception and the THREAD_BUADDR will be an aligned address so
> it will _smaller_ than its real target address.

Sorry, this is wrong!  Please ignore this patch.

In this case THREAD_BUADDR should be an _unaligned_ address.  On QEMU
THREAD_BUADDR was an _aligned_ address so it might be a QEMU bug ...

Atsushi Nemoto

<Prev in Thread] Current Thread [Next in Thread>