Date: Thu, 15 May 2003 17:29:08 -0700 (PDT)
From: Junfeng Yang <yjf@stanford.edu>
To: Andrew Morton <akpm@digeo.com>
cc: linux-kernel@vger.kernel.org
Subject: Re: [CHECKER] 2 potential out-of-bound user-pointer errors in
 fs/readdir.c
In-Reply-To: <20030515150344.1b2686f2.akpm@digeo.com>
Message-ID: <Pine.GSO.4.44.0305151727560.18402-100000@elaine24.Stanford.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1325
Lines: 40


Thanks for the clarifications! so these are not real security bugs, but
redundant checks.

-Junfeng

On Thu, 15 May 2003, Andrew Morton wrote:

> Junfeng Yang <yjf@stanford.edu> wrote:
> >
> >
> > Hi,
> >
> > Enclosed are two warnings found in fs/readdir.c, where user provided
> > pointers are accessed out of 'verified' bounds.
> >
> > The warnings are found by: first, whenenver we see calls to verify_area,
> > access_ok and all the no-underscore versions of *_user functions, we
> > remember the verified bounds. when a user-pointer is accessed thru
> > __*_user functions, we check if the verified bound is big enough.
> >
> > Please confirm or clarify. Thanks!
>
> The code as-is appears to be OK.  Note how sys_getdents64() will run
> access_ok() against the entire user buffer up-front.  Then the start/len of
> that verified area is copied into the getdents_callback64 and that is
> propagated down to filldir64().
>
> And filldir64() looks like it correctly remains within the bounds of the
> start/len.
>
> I guess that copy_to_user() should be __copy_to_user().
>
>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/