Issue with copy_from_user() function in kernel 3.6.10
Kristof Provost
kristof at sigsegv.be
Fri Jul 19 11:58:03 EDT 2013
On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar at redpinesignals.com> wrote:
> I am declaring an array of 200 bytes as destination in ioctl
> processing function itself even i am sending 12 bytes from application.
> Here is the sample code how i am doing in kernel.
>
> ioctl_process(struct iwreq *wrq)
> {
> uint8 buffer[200];
> copy_from_user(buffer, wrq->u.data.pointer,
> wrq->u.data.length); //This line itself is causing the problem for me.
> }
>
I'll quote the error message you got here:
> >> "call to ‘copy_from_user_overflow’ declared with attribute warning:
> >> copy_from_user() buffer size is not provably correct"
> >>
It looks very much like you're taking a user supplied size
(wrq->u.data.length) and trusting it to be less than 200. That's bad.
Don't do that. It'll let any user panic or exploit your system.
A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
probably be sufficient.
(You'll also want to check the return value of copy_from_user().)
Regards,
Kristof
More information about the Kernelnewbies
mailing list