diff options
author | Arjan van de Ven <arjan@infradead.org> | 2009-10-13 17:17:36 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-10-13 17:17:36 -0400 |
commit | 825332e4ff1373c55d931b49408df7ec2298f71e (patch) | |
tree | f489a311e576eb1b45ff62cbc0cccbe3bea2baeb /kernel | |
parent | a27ab9f26b729326778271c1efd895aef4fda1c4 (diff) |
capabilities: simplify bound checks for copy_from_user()
The capabilities syscall has a copy_from_user() call where gcc currently
cannot prove to itself that the copy is always within bounds.
This patch adds a very explicity bound check to prove to gcc that this
copy_from_user cannot overflow its destination buffer.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/capability.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/kernel/capability.c b/kernel/capability.c index 4e17041963f5..c2316d3fa094 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
@@ -238,7 +238,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) | |||
238 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) | 238 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
239 | { | 239 | { |
240 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; | 240 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
241 | unsigned i, tocopy; | 241 | unsigned i, tocopy, copybytes; |
242 | kernel_cap_t inheritable, permitted, effective; | 242 | kernel_cap_t inheritable, permitted, effective; |
243 | struct cred *new; | 243 | struct cred *new; |
244 | int ret; | 244 | int ret; |
@@ -255,8 +255,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) | |||
255 | if (pid != 0 && pid != task_pid_vnr(current)) | 255 | if (pid != 0 && pid != task_pid_vnr(current)) |
256 | return -EPERM; | 256 | return -EPERM; |
257 | 257 | ||
258 | if (copy_from_user(&kdata, data, | 258 | copybytes = tocopy * sizeof(struct __user_cap_data_struct); |
259 | tocopy * sizeof(struct __user_cap_data_struct))) | 259 | if (copybytes > sizeof(kdata)) |
260 | return -EFAULT; | ||
261 | |||
262 | if (copy_from_user(&kdata, data, copybytes)) | ||
260 | return -EFAULT; | 263 | return -EFAULT; |
261 | 264 | ||
262 | for (i = 0; i < tocopy; i++) { | 265 | for (i = 0; i < tocopy; i++) { |