Project

General

Profile

Feature #2771

Updated by Vadim Mutilin about 10 years ago

Somebody can pass negative values as a number of bytes to be copied from user. But copy_from_user() (and some similar functions) expects unsigned long int value, so negative values will lead to integer underflow. This issue belongs to _specific:check_params_, but also can be treated as _generic:int_overflow_. Commit 064368f of linux-stable represents the issue. Model 111_2a will take care on it. 
 And in additional 111_2a check if number of bytes is less than buffer's size. 

 *Links* 
 Sample bugfixes "42f9f8d":https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=42f9f8d, "5c9843a":https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5c9843a, "064368f":https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=064368f, "5934df9":https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=5934df9

Back