I've been taking care of auditing some return values for instances of
unchecked copy_*_user calls and I've come across one case that's
marked as a bug at kbugs.org which however doesn't seem like one to me.
The piece of code I'm referring can be found in
net/bluetooth/hci_core.c:436
if (!verify_area(VERIFY_WRITE, ptr, sizeof(ir) +
(sizeof(struct inquiry_info) * ir.num_rsp))) {
copy_to_user(ptr, &ir, sizeof(ir));
ptr += sizeof(ir);
copy_to_user(ptr, buf, sizeof(struct inquiry_info) * ir.num_rsp); } else
err = -EFAULT;
I'm presuming verify_area() does its job fine returning 0 if the memory
is valid and -EFAULT if not. Thus, given the exact check that's been
done, there seems indeed to exist no need to check each call to
copy_to_user() below. Or is there?
Thanks in advance,
Paulo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/