At 1:09 AM -0800 12/2/03, Eric Cordian wrote:
As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space.
Rule 1: When you audit code for security, be sure there is a complete check of all input parameters. Make at least one pass through the code where this is the only check you make. As can be seen by multiple problems of this type, it's easy to forget. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032