[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point

To: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
From: Chris Wright <chrisw@xxxxxxxx>
Date: Mon, 27 Jun 2005 13:00:53 -0700
Cc: Chris Wright <chrisw@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 27 Jun 2005 20:00:12 +0000
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

* Keir Fraser (Keir.Fraser@xxxxxxxxxxxx) wrote:
> 
> On 27 Jun 2005, at 19:41, Chris Wright wrote:
> 
> >Unless I missed something, not bounds checking entries in do_set_gdt is
> >a security hole.
> >
> >Signed-off-by: Chris Wright <chrisw@xxxxxxxx>
> 
> The check happens in set_gdt(). do_set_gdt is just a wrapper with a 
> copy_from_user plus conditional tlb flush.

I know, but copy_from_user has no sane limits.  This is stack smash.
-chris

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
  - From: Keir Fraser

References:
- [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
  - From: Chris Wright
- Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
  - From: Keir Fraser

Prev by Date: Re: [Xen-devel] FYI: 2.6.11 XenLinux has issues with x86-64 ia32 emulation compilation on gcc4
Next by Date: Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
Previous by thread: Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
Next by thread: Re: [Xen-devel] [PATCH] proper bounds check in do_set_gdt entry point
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.