linux-mips
[Top] [All Lists]

Re: [PATCH] Fix negative buffer overflow in copy_from_user

To: linux-mips@linux-mips.org
Subject: Re: [PATCH] Fix negative buffer overflow in copy_from_user
From: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Date: Mon, 11 Dec 2006 13:40:24 +0900 (JST)
Cc: ralf@linux-mips.org
In-reply-to: <20061211.011647.41196525.anemo@mba.ocn.ne.jp>
Original-recipient: rfc822;linux-mips@linux-mips.org
References: <20061211.011647.41196525.anemo@mba.ocn.ne.jp>
Sender: linux-mips-bounce@linux-mips.org
On Mon, 11 Dec 2006 01:16:47 +0900 (JST), Atsushi Nemoto <anemo@mba.ocn.ne.jp> 
wrote:
> If we passed an invalid _and_ unaligned source address to
> copy_from_user(), the fault handling code miscalculates a length of
> uncopied bytes and returns a value greater than original length.  This
> also causes an negative buffer overflow and overwrites some bytes just
> before the destination kernel buffer.
> 
> This can happen "src_unaligned" case in memcpy.S.  If the first load
> from source buffer was a LDFIRST/LDREST (L[WD][RL]) instruction, it
> raise an exception and the THREAD_BUADDR will be an aligned address so
> it will _smaller_ than its real target address.

Sorry, this is wrong!  Please ignore this patch.

In this case THREAD_BUADDR should be an _unaligned_ address.  On QEMU
THREAD_BUADDR was an _aligned_ address so it might be a QEMU bug ...

---
Atsushi Nemoto

<Prev in Thread] Current Thread [Next in Thread>