Each user_*() tapset call in conversions.stp should set_fs(USER_DS) and restore it; Each user/kernel_*() tapset or runtime type call should check the pointers with access_ok(), redundantly if necessary. See also bug #1288, which could be started upon with an access_ok()-based address filtering function. See also: https://bugzilla.redhat.com/show_bug.cgi?id=452759
on ia64, access_ok() is defined as below: #define __access_ok(addr, size, segment) \ ({ \ __chk_user_ptr(addr); \ (likely((unsigned long) (addr) <= (segment).seg) \ && ((segment).seg == KERNEL_DS.seg \ || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT))); \ }) #define access_ok(type, addr, size) __access_ok((addr), (size), get_fs()) and KERNEL_DS.seg = 0xffffffffffffffff This means, if we set segment=KERNEL_DS, access_ok() always returns 1. :-(
Recent loc2c changes do this.