Please educate a curious cat
Posted Aug 16, 2007 5:27 UTC (Thu) by felixfix
Parent article: Exploiting races in system call wrappers
I understand what is going on; a pointer or some other piece of user data is changed by a user program, in a different thread probably, between validation and use.
I haven't written this kind of code; the last OS work I did passed all syscall parameters in registers. But I am a bit confused. Wouldn't it be very simple to avoid these race conditions by copying the user data to kernel memory before validating? Obviously this wouldn't work with the infamous setuid switcheroo, but for syscall parameters, it would seem to work very well. The only case I can think of to make it difficult would be where the user data in question is too large for easy copying to kernel memory.
to post comments)