Dubios pointer casting with put_user()

Richard Sailer richard_siegfried at systemli.org
Sun Jul 19 08:15:36 EDT 2020



On 18/07/2020 00:46, Valdis Klētnieks wrote:
> On Fri, 17 Jul 2020 02:13:34 +0200, Richard Sailer said:
> 
>> unsigned long. Is this (correctness and security wise) sane? Because as
>> I understand it put_user() determines the amount it copies from the
>> pointer type.
> 
>> 		rc = put_user(amount, (int __user *)arg);
> 
> If that were true, you wouldn't need to pass the 'amount' variable....
> 
Hmm, that would make no sense to me. arg is a pointer to user space
memory, put_user would still need the value to copy to that memory.

And my understanding of put_user() comes from its definition in uaccess.h:

#define put_user(x, ptr)					\
({								\
	int __ret_pu;						\
	__typeof__(*(ptr)) __pu_val;				\
	__chk_user_ptr(ptr);					\
	might_fault();						\
	__pu_val = x;						\
	switch (sizeof(*(ptr))) {				\
	case 1:							\
		__put_user_x(1, __pu_val, ptr, __ret_pu);	\
		break;						\
	case 2:							\
		__put_user_x(2, __pu_val, ptr, __ret_pu);	\
		break;						\
	case 4:							\
		__put_user_x(4, __pu_val, ptr, __ret_pu);	\
		break;						\
	case 8:							\
		__put_user_x8(__pu_val, ptr, __ret_pu);		\
		break;						\
[...]

But please tell me if I got anything wrong here, I'm still not 100% sure

-- Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20200719/b1fbc416/attachment-0001.sig>


More information about the Kernelnewbies mailing list