Looks like a bug in the 7300 disk driver
clewis at ecicrl.UUCP
clewis at ecicrl.UUCP
Thu Jan 12 14:09:19 AEST 1989
In article <1365 at mtunb.ATT.COM> jcm at mtunb.UUCP (was-John McMillan) writes:
>In article <983 at mstar.UUCP> karl at mstar.UUCP (Karl Fox) writes:
>>Come on, folks! If you provide a 4-byte buffer to read, it is a BUG to
>>write 512 bytes to it! Sure, the raw disk device has size limitations,
>>but it should never round up. The driver should probably return EINVAL
>>if the size isn't a multiple of 512.
>
> OK. I agree. But I live in terror of making this patch and
> finding it breaks someone's code.
Which is nothing compared to the terror of discovering that someone
has exploited this bug to overwrite his own user structure and modify
and/or crash the kernel. (In some kernels the user area is in a protected
area at the top of a process's stack)
This is an integrity hole if not security hole.
Hint: what's in the other 508 bytes? If the driver is so stupid
as to *round up* certain requests, how can we be sure that it's actually
checking the bounds of *any* I/O request?
This is analogous to the buffer overrun of "gets()" which someone
(who shall remain nameless) used to inject a virus into the internet.
Sheesh.
This bug should be officially reported.
--
Chris Lewis, Markham, Ontario, Canada
{uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis
Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request
(or lsuc!gate!eci386!clewis or lsuc!clewis)
More information about the Comp.sys.att
mailing list