Issue with copy_from_user() function in kernel 3.6.10

Sateesh Kumar sateesh.kumar at redpinesignals.com
Fri Jul 26 09:18:32 EDT 2013


Hi,

         Earlier i used local buffer of array causes issue to me. 
Instead of local buffer array, i declared buffer as a pointer and 
allocating a memory of wrq->u.data.length using kmalloc. This change 
fixed my issue.

Thanks & Regards,
Sateesh.

On 07/20/2013 01:21 PM, Sudip Mukherjee wrote:
> Hi Sateesh
> Apart from the simple check as Kristof has suggested , you can also
> print the value of wrq->u.data.length to see exactly how much data you
> are receiving from the user.
>
> Regards
> Sudip
>
> On Fri, Jul 19, 2013 at 9:28 PM, Kristof Provost <kristof at sigsegv.be> wrote:
>> On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar at redpinesignals.com> wrote:
>>>       I am declaring an array of 200 bytes as destination in ioctl
>>> processing function itself even i am sending 12 bytes from application.
>>> Here is the sample code how i am doing in kernel.
>>>
>>>       ioctl_process(struct iwreq *wrq)
>>>       {
>>>           uint8 buffer[200];
>>>           copy_from_user(buffer, wrq->u.data.pointer,
>>> wrq->u.data.length); //This line itself is causing the problem for me.
>>>       }
>>>
>> I'll quote the error message you got here:
>>
>>>>> "call to ‘copy_from_user_overflow’ declared with attribute warning:
>>>>> copy_from_user() buffer size is not provably correct"
>>>>>
>> It looks very much like you're taking a user supplied size
>> (wrq->u.data.length) and trusting it to be less than 200. That's bad.
>> Don't do that. It'll let any user panic or exploit your system.
>>
>> A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
>> probably be sufficient.
>>
>> (You'll also want to check the return value of copy_from_user().)
>>
>> Regards,
>> Kristof
>>
>





More information about the Kernelnewbies mailing list