From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: [PATCH] tun: make sure interface usage can not overflow Date: Sun, 28 Sep 2014 16:27:53 -0700 Message-ID: <20140928232753.GA31180@www.outflux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "David S. Miller" , Jason Wang , Zhi Yong Wu , "Michael S. Tsirkin" , Tom Herbert , Masatake YAMATO , Xi Wang , stephen hemminger , netdev@vger.kernel.org To: linux-kernel@vger.kernel.org Return-path: Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org This makes the size argument a const, since it is always populated by the caller. Additionally double-checks to make sure the copy_from_user can never overflow, keeping CONFIG_DEBUG_STRICT_USER_COPY_CHECKS happy: In function 'copy_from_user', inlined from '__tun_chr_ioctl' at drivers/net/tun.c:1871:7: ... copy_from_user() buffer size is not provably correct Signed-off-by: Kees Cook --- drivers/net/tun.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index acaaf6784179..a1f317cba206 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1855,7 +1855,7 @@ unlock: } static long __tun_chr_ioctl(struct file *file, unsigned int cmd, - unsigned long arg, int ifreq_len) + unsigned long arg, const size_t ifreq_len) { struct tun_file *tfile = file->private_data; struct tun_struct *tun; @@ -1869,6 +1869,7 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, int ret; if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) { + BUG_ON(ifreq_len > sizeof(ifr)); if (copy_from_user(&ifr, argp, ifreq_len)) return -EFAULT; } else { -- 1.9.1 -- Kees Cook Chrome OS Security