Re: [CHECKER] 2 potential out-of-bound user-pointer errors in

Junfeng Yang (yjf@stanford.edu)
Thu, 15 May 2003 17:29:08 -0700 (PDT)


Thanks for the clarifications! so these are not real security bugs, but
redundant checks.

-Junfeng

On Thu, 15 May 2003, Andrew Morton wrote:

> Junfeng Yang <yjf@stanford.edu> wrote:
> >
> >
> > Hi,
> >
> > Enclosed are two warnings found in fs/readdir.c, where user provided
> > pointers are accessed out of 'verified' bounds.
> >
> > The warnings are found by: first, whenenver we see calls to verify_area,
> > access_ok and all the no-underscore versions of *_user functions, we
> > remember the verified bounds. when a user-pointer is accessed thru
> > __*_user functions, we check if the verified bound is big enough.
> >
> > Please confirm or clarify. Thanks!
>
> The code as-is appears to be OK. Note how sys_getdents64() will run
> access_ok() against the entire user buffer up-front. Then the start/len of
> that verified area is copied into the getdents_callback64 and that is
> propagated down to filldir64().
>
> And filldir64() looks like it correctly remains within the bounds of the
> start/len.
>
> I guess that copy_to_user() should be __copy_to_user().
>
>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/