Re: Question on verify_area() and friends wrt

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Paulo Andre': "[PATCH] Check copy_*_user return value in drivers/block/scsi_ioctl.c"
• Previous message: Matt Mackall: "Re: Resend [PATCH] Make KOBJ_NAME_LEN match BUS_ID_SIZE"

copy_to_user() does the equivelent of a verify_area(). __copy_to_user()
doesn't
make the verify_area() check.If a function is going to be making a lot of
copies to
the same area, it makes sense to just do one verify_area() and use
__copy_to_user().
Both copy_to_user() and __copy_to_user() can fail even though the
verify_area()
checks pass.

In this case there is only one copy to each area so it doesn't really make
sense to use __copy_to_user().

My patch would look like this:

--- net/bluetooth/hci_core.c.orig 2003-05-25 00:25:16.000000000 +0200
+++ net/bluetooth/hci_core.c 2003-05-25 00:25:34.000000000 +0200
@@ -431,14 +431,14 @@

BT_DBG("num_rsp %d", ir.num_rsp);

- if (!verify_area(VERIFY_WRITE, ptr, sizeof(ir) +
- (sizeof(struct inquiry_info) * ir.num_rsp))) {
- copy_to_user(ptr, &ir, sizeof(ir));
- ptr += sizeof(ir);
- copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
ir.num_rsp);
- } else
+ if (copy_to_user(ptr, &ir, sizeof(ir))) {
err = -EFAULT;
-
+ goto free:
+ }
+ ptr += sizeof(ir);
+ if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) * ir.num_rsp))
+ err = -EFAULT;
+free:
kfree(buf);

done:

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Paulo Andre': "[PATCH] Check copy_*_user return value in drivers/block/scsi_ioctl.c"
• Previous message: Matt Mackall: "Re: Resend [PATCH] Make KOBJ_NAME_LEN match BUS_ID_SIZE"