[CHECKER] 2 potential out-of-bound user-pointer errors in fs/readdir.c

From: Junfeng Yang (yjf@stanford.edu)
Date: Thu May 15 2003 - 15:40:42 EST

Next message: Corey Minyard: "Re: Problem with e100 driver and latency on different packet sizes"
Previous message: Felix Triebel: "kernel version 2.4.21-rc2-ac2 / acpi oops"
In reply to: Junfeng Yang: "Re: [CHECKER] 1 potential derefence of user-pointer without verification error"
Next in thread: Andrew Morton: "Re: [CHECKER] 2 potential out-of-bound user-pointer errors in fs/readdir.c"
Reply: Andrew Morton: "Re: [CHECKER] 2 potential out-of-bound user-pointer errors in fs/readdir.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Enclosed are two warnings found in fs/readdir.c, where user provided
pointers are accessed out of 'verified' bounds.

The warnings are found by: first, whenenver we see calls to verify_area,
access_ok and all the no-underscore versions of *_user functions, we
remember the verified bounds. when a user-pointer is accessed thru
__*_user functions, we check if the verified bound is big enough.

Please confirm or clarify. Thanks!

-Junfeng

---------------------------------------------------------

[BUG] copy_to_user verifies that [0, namelen) of dirent->d_name is okay to
write, but the following __put_user accesses dirent->d_name + namelen

/home/junfeng/linux-2.5.69/fs/readdir.c:239:filldir64:
ERROR:BUFFER:239:239:memory operation error (len < off + n) (__put_user(0,
(void*)(char*)&dirent->d_name + (char*)(long unsigned
int)namlen):(void*)(char*)&dirent->d_name + (char*)(long unsigned
int)namlen, len = sym_8, off = sym_8 + 0, n = 1, min (off + n - len = 1)

                goto efault;
        if (__put_user(d_type, &dirent->d_type))
                goto efault;
        if (copy_to_user(dirent->d_name, name, namlen))
                goto efault;

Error --->
        if (__put_user(0, dirent->d_name + namlen))
                goto efault;
        ((char *) dirent) += reclen;
        buf->current_dir = dirent;
---------------------------------------------------------

[BUG] copy_to_user verifies that [0, namelen) of dirent->d_name is okay to
write, but the following __put_user accesses dirent->d_name + namelen

/home/junfeng/linux-2.5.69/fs/readdir.c:154:filldir:
ERROR:BUFFER:154:154:memory operation error (len < off + n) (__put_user(0,
(void*)(char*)&dirent->d_name + (char*)(long unsigned
int)namlen):(void*)(char*)&dirent->d_name + (char*)(long unsigned
int)namlen, len = sym_8, off = sym_8 + 0, n = 1, min (off + n - len = 1)

                goto efault;
        if (__put_user(reclen, &dirent->d_reclen))
                goto efault;
        if (copy_to_user(dirent->d_name, name, namlen))
                goto efault;

Error --->
        if (__put_user(0, dirent->d_name + namlen))
                goto efault;
        ((char *) dirent) += reclen;
        buf->current_dir = dirent;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Corey Minyard: "Re: Problem with e100 driver and latency on different packet sizes"
Previous message: Felix Triebel: "kernel version 2.4.21-rc2-ac2 / acpi oops"
In reply to: Junfeng Yang: "Re: [CHECKER] 1 potential derefence of user-pointer without verification error"
Next in thread: Andrew Morton: "Re: [CHECKER] 2 potential out-of-bound user-pointer errors in fs/readdir.c"
Reply: Andrew Morton: "Re: [CHECKER] 2 potential out-of-bound user-pointer errors in fs/readdir.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu May 15 2003 - 22:00:58 EST