Miscellaneous

Faults in Linux Kernel 3.x : Unchecked value from copy_from_user used as loop index

As part of my work, I need to annotate  the reports generated using Coccinelle Scripts as bugs/FPs for recent Linux Kernels, recent as in versions > 3.0 till the current one 3.18.

So in reading the reports (newer ones) I first completed Linux_copy.new.org.

 

It has reports for pattern where unchecked values obtained from the user level that may be used as array indices or loop bounds.

It has reports where copy_from_user is used.

 

What is copy_from_user?

It is to copy a block of data from user space. Copy data from user space to kernel space.

Returns number of bytes that could not be copied. On success, this will be zero.

If some data could not be copied, this function will pad the copied data to the requested size using zero bytes.

More here.

 

As I described here also, using values taken from user as array or loop bounds without check, is bad.

 

There was only one TODO in this org file.

 

What is it? A FP or a Bug?

Oh, it is a bug.  They have used value taken form user using copy_from_user as array bound.

 

 

I’ll be sending patches to fix these issues once I’m done with the work of annonating the reports.

Advertisements

One thought on “Faults in Linux Kernel 3.x : Unchecked value from copy_from_user used as loop index

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s