Re: [CHECKER] 2 potential out-of-bound user-pointer errors in

Andrew Morton (akpm@digeo.com)
Thu, 15 May 2003 15:03:44 -0700

Junfeng Yang <yjf@stanford.edu> wrote:
>
>
> Hi,
>
> Enclosed are two warnings found in fs/readdir.c, where user provided
> pointers are accessed out of 'verified' bounds.
>
> The warnings are found by: first, whenenver we see calls to verify_area,
> access_ok and all the no-underscore versions of *_user functions, we
> remember the verified bounds. when a user-pointer is accessed thru
> __*_user functions, we check if the verified bound is big enough.
>
> Please confirm or clarify. Thanks!

The code as-is appears to be OK. Note how sys_getdents64() will run
access_ok() against the entire user buffer up-front. Then the start/len of
that verified area is copied into the getdents_callback64 and that is
propagated down to filldir64().

And filldir64() looks like it correctly remains within the bounds of the
start/len.

I guess that copy_to_user() should be __copy_to_user().

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/