We run a checker that warns about derefence of user-pointer errors on
linux-2.5.63 and got the following warning message in
init/do_mounts.c:create_dev, which needs clarifications.
---------------------------------------------------------
/home/junfeng/linux-2.5.63/init/do_mounts.c:437:create_dev: ERROR:TAINTED:442:437:dereferencing tainted ptr 'devfs_name'
sys_unlink(name);
if (!do_devfs)
return sys_mknod(name, S_IFBLK|0600, dev);
Error--->
if (devfs_name && devfs_name[0]) {
if (strncmp(devfs_name, "/dev/", 5) == 0)
devfs_name += 5;
sprintf(path, "/dev/%s", devfs_name);
if (sys_access(path, 0) == 0)
Start --->
return sys_symlink(devfs_name, name);
}
if (!dev)
return -1;
It seems to us that create_dev can only be called at boot time (the
"__init" attribute), so devfs_name must be an untainted kernel pointer.
The warning on line 437 isn't a real error.
However, this pointer is finally passed into strncpy_from_user through the
call chain [ sys_symlink (devfs_name, name) --> getname (oldname) -->
do_getname(filename, _) --> strncpy_from_user (_, filename, _)]. Is it
okay to call *_from_user functions with the second arguements untainted?
What will access_ok(VERIFY_READ, src, 1) return?
As usual, any response will be greatly apppreciated. Thanks a lot!
-Junfeng
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/