On Thu, Jan 11, 2001 at 08:52:08AM -0700, Quinn Jensen wrote: > Here's a kernel patch. The __access_ok macro looks one byte > too far and fails. Since copy_mount_options() isn't > sure how long the string arguments are, it just copies > to the end of the page. Since this is on busybox's > stack, the copy wants to go all the way to 0x7FFFFFF > and hits this corner case. I don't like this solution as it inflates the kernel noticably. Actually even the bug itself hasn't been one; this off by one mistake was deliberatly accepted in the - obviously wrong - assumption that nobody would ever try to use the last byte of userspace. See also the Alpha variant of the code; looks like they suffer from the same problem. My solution will be to truncate userspace by by at least 4kb. I've choosen to even truncate it by 32kb; this will also make the layout of the address space for 32-bit processes on 64-bit kernels and 32-bit kernel identical again. Ralf
