Date: Thu, 15 May 2003 15:03:44 -0700
From: Andrew Morton <akpm@digeo.com>
To: Junfeng Yang <yjf@stanford.edu>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu
Subject: Re: [CHECKER] 2 potential out-of-bound user-pointer errors in
 fs/readdir.c
Message-Id: <20030515150344.1b2686f2.akpm@digeo.com>
In-Reply-To: <Pine.GSO.4.44.0305151329550.29285-100000@elaine24.Stanford.EDU>
References: <Pine.GSO.4.44.0305112337160.3242-100000@elaine24.Stanford.EDU>
	<Pine.GSO.4.44.0305151329550.29285-100000@elaine24.Stanford.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1136
Lines: 31

Junfeng Yang <yjf@stanford.edu> wrote:
>
> 
> Hi,
> 
> Enclosed are two warnings found in fs/readdir.c, where user provided
> pointers are accessed out of 'verified' bounds.
> 
> The warnings are found by: first, whenenver we see calls to verify_area,
> access_ok and all the no-underscore versions of *_user functions, we
> remember the verified bounds. when a user-pointer is accessed thru
> __*_user functions, we check if the verified bound is big enough.
> 
> Please confirm or clarify. Thanks!

The code as-is appears to be OK.  Note how sys_getdents64() will run
access_ok() against the entire user buffer up-front.  Then the start/len of
that verified area is copied into the getdents_callback64 and that is
propagated down to filldir64().

And filldir64() looks like it correctly remains within the bounds of the
start/len.

I guess that copy_to_user() should be __copy_to_user().


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/