Taking strlen of buffers copied from userspace

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Artem Frolov <artemfrolov@gmail.com>
To: linux-kernel@vger.kernel.org
Subject: Taking strlen of buffers copied from userspace
Date: Tue, 15 Mar 2005 13:27:47 -0500	[thread overview]
Message-ID: <26092d8c0503151027ec75b63@mail.gmail.com> (raw)

Hello,

I am in the process of testing static defect analyzer on a Linux
kernel source code (see disclosure below).

I found some potential array bounds violations. The pattern is as
follows: bytes are copied from the user space and then buffer is
accessed on index strlen(buf)-1. This is a defect if user data start
from 0. So the question is: can we make any assumptions what data may
be received from the user or it could be arbitrary?

For example, in ./drivers/block/cciss.c, function cciss_proc_write
(line numbers are taken form 2.6.11.3):
   ....
   293          if (count > sizeof(cmd)-1) return -EINVAL;
   294          if (copy_from_user(cmd, buffer, count)) return -EFAULT;
   295          cmd[count] = '\0';
   296          len = strlen(cmd);      // above 3 lines ensure safety
   297          if (cmd[len-1] == '\n')
   298                  cmd[--len] = '\0';
   .....

Another example is arch/i386/kernel/cpu/mtrr/if.c, function mtrr_write:
   ....
   107          if (copy_from_user(line, buf, len - 1))
   108                  return -EFAULT;
   109          ptr = line + strlen(line) - 1;
   110          if (*ptr == '\n')
   111                  *ptr = '\0';
    ....


Full disclosure: I am working for Klocwork (http://www.klocwork.com/),
which is a vendor of commercial closed-source proprietary products,
static analyzer for C/C++ is part of its products

Best regards
--
Artem Frolov
Senior software engineer
Klocwork inc

next             reply	other threads:[~2005-03-15 18:37 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-15 18:27 Artem Frolov [this message]
2005-03-16 22:36 ` [PATCH] Taking strlen of buffers copied from userspace Randy.Dunlap
     [not found] <3Iphf-66y-15@gated-at.bofh.it>
2005-03-15 23:56 ` Robert Hancock
2005-03-16  4:20   ` Randy.Dunlap
     [not found] <3IugU-2m4-11@gated-at.bofh.it>
     [not found] ` <3IugU-2m4-9@gated-at.bofh.it>
     [not found]   ` <3IykC-5x0-29@gated-at.bofh.it>
2005-03-16  5:24     ` Robert Hancock
2005-03-16  5:30       ` Randy.Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=26092d8c0503151027ec75b63@mail.gmail.com \
    --to=artemfrolov@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox