Re: [CHECKER] security rules? (and 2.4.5-ac4 security bug)

Dawson Engler (engler@csl.Stanford.EDU)
Sat, 9 Jun 2001 19:13:36 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Eric W. Biederman: "Re: Please test: workaround to help swapoff behaviour"
Previous message: Andrey Savochkin: "eepro100 security fix [was: Re: MII access]"

> Indeed; the bug in the uuid_strategy which you pointed out in the
> random driver wasn't caused by the fact that we were using a
> user-specified length (since the length was being capped to a maximum
> value of 16). The security bug was that the test was done on a signed
> value, and copy_to_user() takes an unsigned value.
>
> So your checker found a real bug, but it wasn't the one that the
> checker thought it was. :-)

No, it was the bug the checker thought it was: a signed integer from
user space that had only been upper-bound checked. If the value had
been unsigned, or had been checked in a range lower_bound < x <
upper_bound there woulnd't have been a message.

But I certainly concede that the message could be more informative.

Dawson
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: Please test: workaround to help swapoff behaviour"
Previous message: Andrey Savochkin: "eepro100 security fix [was: Re: MII access]"