[CHECKER] copy_*_user length bugs?

Dawson Engler (engler@csl.Stanford.EDU)
Tue, 17 Apr 2001 21:39:15 -0700 (PDT)


Hi All,

at the suggestion of Chris (chris@ferret.lmh.ox.ac.uk) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked < 0.

As an example, the ipv6 routine rawv6_geticmpfilter gets an integer 'len'
from user space, checks that it is smaller than a struct size and then
uses length as an argument to copy_to_user:

if (get_user(len, optlen))
return -EFAULT;
if (len > sizeof(struct icmp6_filter))
len = sizeof(struct icmp6_filter);
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(optval, &sk->tp_pinfo.tp_raw.filter, len))
return -EFAULT;

Is this a real bug? Or is the checked rule only applicable to
__copy_*_user routines rather than copy_*_user routines? (If its a real
bug, theres about 8 others that we found).

Thanks,
Dawson
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/