Miscellaneous

Faults in Linux 3.x : Using value from get_user without check as array index

As part of my work, I need to annotate  the reports generated using Coccinelle Scripts as bugs/FPs for recent Linux Kernels, recent as in versions > 3.0 till the current one 3.18.

As I’m reading the reports (newer ones), so today I completed Linux_get.new.org.

This org file has the report where unchecked values obtained from the user level by using get_user function that may be used as array indices or loop bounds. I have wrote some other blog posts too for this case.

 

What is get_user?

It is used to get a simple variable from user space.

This macro copies a single simple variable from user space to kernel space. It supports simple types like char and int, but not larger data types like structures or arrays.

For more.

 

What did I find?

Their was only one TODO and it was a bug. Look at the code snipped below


if (get_user(count, &argp->dest_count)) {
ret = -EFAULT;
goto out;
}

size = offsetof(struct btrfs_ioctl_same_args __user, info[count]);

 

The value taken from get_user is used as an array index, without any check on it’s range. A clear Bug. It’s still present in current Linux Kernel, so a patch for this case is lined up.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s