Re: [CHECKER] 4 security holes in 2.4.4-ac8

David S. Miller (davem@redhat.com)
Tue, 29 May 2001 15:07:59 -0700 (PDT)


Dawson Engler writes:
> -------------------------------------------------------------------------------
> [BUG] raddr seems to be a user pointer, but is written at the end of
> the system call.
>
> ipc/shm.c: ERROR: system call 'sys_shmat' derefs non-tainted param= 3
>
> asmlinkage long sys_shmat (int shmid, char *shmaddr, int shmflg, ulong *raddr)
> {
> struct shmid_kernel *shp;
>
>
> ...
> *raddr = (unsigned long) user_addr;
> err = 0;
> if (IS_ERR(user_addr))
> err = PTR_ERR(user_addr);
> return err;

Believe it or not, this one is OK :-)

All callers pass in a pointer to a local stack kernel variable
in raddr.

Later,
David S. Miller
davem@redhat.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/