[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Usage of get_user_pages() in fs/aio.c

To: Ingo Oeser <ingo.oeser@informatik.tu-chemnitz.de>
Subject: Re: Usage of get_user_pages() in fs/aio.c
From: Benjamin LaHaise <bcrl@redhat.com>
Date: Thu, 7 Nov 2002 14:46:25 -0500
Cc: linux-mm@kvack.org
Fake-Sender: owner-linux-mm@kvack.org
In-Reply-To: <20021106211538.M659@nightmaster.csn.tu-chemnitz.de>; from ingo.oeser@informatik.tu-chemnitz.de on Wed, Nov 06, 2002 at 09:15:38PM +0100
Original-Recipient: rfc822;linux-mm-archive@humbolt.geo.uu.nl
References: <20021106211538.M659@nightmaster.csn.tu-chemnitz.de>
Sender: Rik van Riel <riel@nl.linux.org>
User-Agent: Mutt/1.2.5.1i

On Wed, Nov 06, 2002 at 09:15:38PM +0100, Ingo Oeser wrote:
> What this can cause is clear ;-)
> 
> Simple fix would be to replace "info->mmap_size" with "nr_pages",
> that you compute just some lines above.

Whoops.  Yeah, that's a bug.  It hasn't actually been noticed in 
testing because the array of pages is freshly allocated from mmap 
and thus stops filling the array at nr_pages, but it could be 
exploited by a hostile user.  I'll feed that patch up asap.

		-ben
-- 
"Do you seek knowledge in time travel?"
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/

References:
- Usage of get_user_pages() in fs/aio.c
  - From: Ingo Oeser <ingo.oeser@informatik.tu-chemnitz.de>

Prev by Date: Re: 2.5.46-mm1
Next by Date: Re: get_user_pages rewrite (completed, updated for 2.4.46)
Prev by thread: Usage of get_user_pages() in fs/aio.c
Next by thread: get_user_pages rewrite (completed, updated for 2.4.46)
Index(es):
- Date
- Thread