strlen_user and keys

From: Andries.Brouwer
Date: Sat Apr 08 2006 - 17:11:36 EST

Next message: Michael Kerrisk: "man-pages-2.29 is released"
Previous message: Serge E. Hallyn: "Re: [RFC][PATCH 1/5] uts namespaces: Implement utsname namespaces"
Next in thread: David Howells: "Re: strlen_user and keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[faraway from home, not near recent kernel source]

strnlen_user() is documented as returning the string length including
terminating NUL. Probably that was a bad idea - people expect that
if user space and kernel library functions have similar names, they do
similar things. The shouting "INCLUDING" in the description already
shows that also the author expected that bugs would be created by
using this name.

[see, e.g., arch/i386/lib/usercopy.c]

security/keys/keyctl.c does

dlen = strnlen_user(_description, PAGE_SIZE - 1);
description = kmalloc(dlen + 1, GFP_KERNEL);
copy_from_user(description, _description, dlen + 1);

copying one byte too many.
(Thus in some unknown kernel source tree, maybe 2.6.14.
This may have been fixed already.)

Andries
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michael Kerrisk: "man-pages-2.29 is released"
Previous message: Serge E. Hallyn: "Re: [RFC][PATCH 1/5] uts namespaces: Implement utsname namespaces"
Next in thread: David Howells: "Re: strlen_user and keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]