Issue with copy_from_user() function in kernel 3.6.10

Sudip Mukherjee sudipm.mukherjee at gmail.com
Sat Jul 20 03:51:35 EDT 2013


Hi Sateesh
Apart from the simple check as Kristof has suggested , you can also
print the value of wrq->u.data.length to see exactly how much data you
are receiving from the user.

Regards
Sudip

On Fri, Jul 19, 2013 at 9:28 PM, Kristof Provost <kristof at sigsegv.be> wrote:
> On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar at redpinesignals.com> wrote:
>>      I am declaring an array of 200 bytes as destination in ioctl
>> processing function itself even i am sending 12 bytes from application.
>> Here is the sample code how i am doing in kernel.
>>
>>      ioctl_process(struct iwreq *wrq)
>>      {
>>          uint8 buffer[200];
>>          copy_from_user(buffer, wrq->u.data.pointer,
>> wrq->u.data.length); //This line itself is causing the problem for me.
>>      }
>>
> I'll quote the error message you got here:
>
>> >> "call to ‘copy_from_user_overflow’ declared with attribute warning:
>> >> copy_from_user() buffer size is not provably correct"
>> >>
>
> It looks very much like you're taking a user supplied size
> (wrq->u.data.length) and trusting it to be less than 200. That's bad.
> Don't do that. It'll let any user panic or exploit your system.
>
> A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
> probably be sufficient.
>
> (You'll also want to check the return value of copy_from_user().)
>
> Regards,
> Kristof
>



More information about the Kernelnewbies mailing list