Re: 2.2 PATCH: check return from copy_*_user in fs/pipe.c

Hugh Dickins (hugh@veritas.com)
Wed, 20 Jun 2001 16:52:03 +0100 (BST)

On Tue, 19 Jun 2001, Andrew Tridgell wrote:
> Davem wrote:
> > > The anonymous pipe code in 2.2 does not check the return value of
> > > copy_*_user. This can lead to silent loss of data.
>
> Linus didn't want to fix it in pipe.c until copy_from_user was fixed
> on all architectures to zero any parts of the destination that were
> not written to (due to the source being invalid). He didn't want us to
> fix just this one case and then forget about fixing the general case
> by fixing copy_*_user.

Thanks for shedding light on this, I was curious about that zeroing.
Please correct my understanding if I'm wrong to say:

1. If all copy_from_user() callers checked the residue returned and
acted appropriately, there would be no need for such zeroing;
2. Usually Linux prefers to fix all the abusers of a macro or
function, rather than adding extra safety checks within it;
3. But here, the security risk, the ease of abuse, and the difficulty
in auditing all uses (more each day), led to this zeroing within?

May your source never be invalid,
Hugh

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/