From owner-freebsd-security Sat Sep 8 18: 8:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 37A3D37B406 for ; Sat, 8 Sep 2001 18:08:29 -0700 (PDT) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.6/8.11.5) with SMTP id f8918DC14673; Sat, 8 Sep 2001 21:08:13 -0400 (EDT) (envelope-from arr@watson.org) Date: Sat, 8 Sep 2001 21:08:12 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway , bright@mu.org, bde@zeta.org.au Cc: security@freebsd.org Subject: Re: netbsd vulnerabilities In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, I'd like to bring this to conclusion as this bug sucks :-( So, I propose that the patch I submitted is "ok" (:-)) b/c it #1 solves the unsigned -> int -> unsigned (copyin call) issue, and #2 conforms to what is specified in the man page _and_ in sys/sys/sem.h. However, if this is not the correct usage of semop(), ie. we don't want to have it unsigned, then we must #1 fix to check < 0 for the vuln, #2 fix the man page, #3 fix code that was written to the man page spec, and #4 fix sys/sys/sem.h. Thoughts? Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message