Feature #2771
open111: Check that integer underflow doesn't happen in call of copy_from_user(), copy_to_user() and others
90%
Description
Somebody can pass negative values as a number of bytes to be copied from user. But copy_from_user() (and some similar functions) expects unsigned long int value, so negative values will lead to integer underflow. This issue belongs to specific:check_params, but also can be treated as generic:int_overflow. Commit 064368f of linux-stable represents the issue. Model 111_2a will take care on it.
And in additional 111_2a check if number of bytes is less than buffer's size.
Updated by Evgeny Novikov over 12 years ago
Commit 2086fa6 of LDV master branch added 111_1a model, that successfully finds the issue before commit 064368f of linux-stable and safe after the commit.
Updated by Alexey Khoroshilov over 12 years ago
- Subject changed from Check that integer underflow doesn't happen in call of copy_from_user to 111: Check that integer underflow doesn't happen in call of copy_from_user
Updated by Evgeny Novikov over 12 years ago
- Priority changed from High to Normal
Reduce priority until we'll decide that it's high actually.
Updated by Vladimir Gratinskiy over 12 years ago
- Subject changed from 111: Check that integer underflow doesn't happen in call of copy_from_user to 111: Check that integer underflow doesn't happen in call of copy_from_user(), copy_to_user() and others
- Description updated (diff)
- Assignee changed from Evgeny Novikov to Vladimir Gratinskiy
- % Done changed from 0 to 10
Updated by Evgeny Novikov about 12 years ago
What is the difference between 111_1a and 111_2a models?