Andrew Morton <akpm@linux-foundation.org> wrote:
quoted text
> On Mon, 11 Feb 2008 16:17:33 -0700 Jonathan Corbet <corbet@lwn.net> wrote:

quoted text
>> Avoid buffer overflows in get_user_pages()
>> 
>> So I spent a while pounding my head against my monitor trying to figure
>> out the vmsplice() vulnerability - how could a failure to check for
>> *read* access turn into a root exploit?  It turns out that it's a buffer
>> overflow problem which is made easy by the way get_user_pages() is
>> coded.
>> 
>> In particular, "len" is a signed int, and it is only checked at the
>> *end* of a do {} while() loop.  So, if it is passed in as zero, the loop
>> will execute once and decrement len to -1.  At that point, the loop will
>> proceed until the next invalid address is found; in the process, it will
>> likely overflow the pages array passed in to get_user_pages().

[...]

quoted text
> Can we just convert
> 
> do {
> ...
> } while (len);
> 
> into
> 
> while (len) {

while (len > 0), if I understand this patch correctly.

--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/