Re: [reiserfs-list] major security bug in reiserfs (may affect SuSE

Chris Mason (mason@suse.com)
Wed, 10 Jan 2001 13:48:43 -0500


On Wednesday, January 10, 2001 12:38:34 PM -0500 Alexander Viro
<viro@math.psu.edu> wrote:

> On Wed, 10 Jan 2001, Chris Mason wrote:
>
>> In filldir, I don't like the line where we ((char *)dirent += reclen ;
>> If reclen is much larger than the buffer sent from userspace, I don't
>> see how we stay in bounds.
>
> So? copy_to_user() and put_user() will refuse to scramble the
> kernel memory. IOW, dirent can be out of the userspace. Hell, user could
> call getdents() and pass it a kernel pointer. Try it and you'll see what
> happens.
>

Ah thanks, that makes more sense. But, copy_to_user is only working on
namelen bytes, and reclen is bigger than that. So, who is checking the
value for the buf->current_dir pointer?

-chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/