Feature #2771
open
111: Check that integer underflow doesn't happen in call of copy_from_user(), copy_to_user() and others
Added by Evgeny Novikov over 12 years ago.
Updated about 10 years ago.
Description
Somebody can pass negative values as a number of bytes to be copied from user. But copy_from_user() (and some similar functions) expects unsigned long int value, so negative values will lead to integer underflow. This issue belongs to specific:check_params, but also can be treated as generic:int_overflow. Commit 064368f of linux-stable represents the issue. Model 111_2a will take care on it.
And in additional 111_2a check if number of bytes is less than buffer's size.
Links
Sample bugfixes 42f9f8d, 5c9843a, 064368f, 5934df9
Commit 2086fa6 of LDV master branch added 111_1a model, that successfully finds the issue before commit 064368f of linux-stable and safe after the commit.
- Subject changed from Check that integer underflow doesn't happen in call of copy_from_user to 111: Check that integer underflow doesn't happen in call of copy_from_user
- Priority changed from High to Normal
Reduce priority until we'll decide that it's high actually.
- Subject changed from 111: Check that integer underflow doesn't happen in call of copy_from_user to 111: Check that integer underflow doesn't happen in call of copy_from_user(), copy_to_user() and others
- Description updated (diff)
- Assignee changed from Evgeny Novikov to Vladimir Gratinskiy
- % Done changed from 0 to 10
- % Done changed from 10 to 90
- Description updated (diff)
What is the difference between 111_1a and 111_2a models?
- Description updated (diff)
Also available in: Atom
PDF