Issue with copy_from_user() function in kernel 3.6.10

Issue with copy_from_user() function in kernel 3.6.10

[Sateesh Kumar]

Dear Experts,

I am using the kernel 3.6.10 for my driver development. When I compiled 
the code I am getting the following warning. I am facing the same issue 
with 3.5.4 kernel.

"call to ?copy_from_user_overflow? declared with attribute warning: 
copy_from_user() buffer size is not provably correct"

When I try to install the module, I am facing the kernel crash. Here is 
the crash log.


//Kernel crash log - Start

Call Trace:
[19592.491229] [<c044bbf2>] warn_slowpath_common+0x72/0xa0
[19592.491233] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
[19592.491236] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
[19592.491241] [<f86f54c0>] ? jtag_usb_card_read+0x70/0x70 [usb_jtag]
[19592.491244] [<c044bcc3>] warn_slowpath_fmt+0x33/0x40
[19592.491247] [<c06882b7>] copy_from_user_overflow+0x27/0x30
[19592.491251] [<f86f54ec>] jtag_usb_ioctl+0x2c/0x80 [usb_jtag]
[19592.491256] [<c0565dea>] do_vfs_ioctl+0x7a/0x590
[19592.491259] [<c055f41b>] ? putname+0x2b/0x40
[19592.491262] [<c055f41b>] ? putname+0x2b/0x40
[19592.491265] [<c0555238>] ? do_sys_open+0x158/0x1c0
[19592.491269] [<c0566368>] sys_ioctl+0x68/0x80
[19592.491274] [<c0980cdf>] sysenter_do_call+0x12/0x28
[19592.491276] ---[ end trace 98bdb358664246ac ]---
[19592.491277] copy_from_usr error

//Kernel crash log - End



Please let me know, what wrong with my driver?


Thanks in advance,
Regards,
Sateesh

Issue with copy_from_user() function in kernel 3.6.10

[Sudip Mukherjee]

Hi Santosh
Does your destination buffer have sufficient size to hold the data ?

Regards
Sudip

On Fri, Jul 19, 2013 at 7:48 PM, Sateesh Kumar
<sateesh.kumar@redpinesignals.com> wrote:
> Dear Experts,
>
> I am using the kernel 3.6.10 for my driver development. When I compiled
> the code I am getting the following warning. I am facing the same issue
> with 3.5.4 kernel.
>
> "call to ?copy_from_user_overflow? declared with attribute warning:
> copy_from_user() buffer size is not provably correct"
>
> When I try to install the module, I am facing the kernel crash. Here is
> the crash log.
>
>
> //Kernel crash log - Start
>
> Call Trace:
> [19592.491229] [<c044bbf2>] warn_slowpath_common+0x72/0xa0
> [19592.491233] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
> [19592.491236] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
> [19592.491241] [<f86f54c0>] ? jtag_usb_card_read+0x70/0x70 [usb_jtag]
> [19592.491244] [<c044bcc3>] warn_slowpath_fmt+0x33/0x40
> [19592.491247] [<c06882b7>] copy_from_user_overflow+0x27/0x30
> [19592.491251] [<f86f54ec>] jtag_usb_ioctl+0x2c/0x80 [usb_jtag]
> [19592.491256] [<c0565dea>] do_vfs_ioctl+0x7a/0x590
> [19592.491259] [<c055f41b>] ? putname+0x2b/0x40
> [19592.491262] [<c055f41b>] ? putname+0x2b/0x40
> [19592.491265] [<c0555238>] ? do_sys_open+0x158/0x1c0
> [19592.491269] [<c0566368>] sys_ioctl+0x68/0x80
> [19592.491274] [<c0980cdf>] sysenter_do_call+0x12/0x28
> [19592.491276] ---[ end trace 98bdb358664246ac ]---
> [19592.491277] copy_from_usr error
>
> //Kernel crash log - End
>
>
>
> Please let me know, what wrong with my driver?
>
>
> Thanks in advance,
> Regards,
> Sateesh
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Issue with copy_from_user() function in kernel 3.6.10

[Sateesh Kumar]

Hi sudip,

     I am declaring an array of 200 bytes as destination in ioctl 
processing function itself even i am sending 12 bytes from application. 
Here is the sample code how i am doing in kernel.

     ioctl_process(struct iwreq *wrq)
     {
         uint8 buffer[200];
         copy_from_user(buffer, wrq->u.data.pointer, 
wrq->u.data.length); //This line itself is causing the problem for me.
     }

Regards,
Sateesh.

On 07/19/2013 08:26 PM, Sudip Mukherjee wrote:
> Hi Santosh
> Does your destination buffer have sufficient size to hold the data ?
>
> Regards
> Sudip
>
> On Fri, Jul 19, 2013 at 7:48 PM, Sateesh Kumar
> <sateesh.kumar@redpinesignals.com> wrote:
>> Dear Experts,
>>
>> I am using the kernel 3.6.10 for my driver development. When I compiled
>> the code I am getting the following warning. I am facing the same issue
>> with 3.5.4 kernel.
>>
>> "call to ?copy_from_user_overflow? declared with attribute warning:
>> copy_from_user() buffer size is not provably correct"
>>
>> When I try to install the module, I am facing the kernel crash. Here is
>> the crash log.
>>
>>
>> //Kernel crash log - Start
>>
>> Call Trace:
>> [19592.491229] [<c044bbf2>] warn_slowpath_common+0x72/0xa0
>> [19592.491233] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
>> [19592.491236] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
>> [19592.491241] [<f86f54c0>] ? jtag_usb_card_read+0x70/0x70 [usb_jtag]
>> [19592.491244] [<c044bcc3>] warn_slowpath_fmt+0x33/0x40
>> [19592.491247] [<c06882b7>] copy_from_user_overflow+0x27/0x30
>> [19592.491251] [<f86f54ec>] jtag_usb_ioctl+0x2c/0x80 [usb_jtag]
>> [19592.491256] [<c0565dea>] do_vfs_ioctl+0x7a/0x590
>> [19592.491259] [<c055f41b>] ? putname+0x2b/0x40
>> [19592.491262] [<c055f41b>] ? putname+0x2b/0x40
>> [19592.491265] [<c0555238>] ? do_sys_open+0x158/0x1c0
>> [19592.491269] [<c0566368>] sys_ioctl+0x68/0x80
>> [19592.491274] [<c0980cdf>] sysenter_do_call+0x12/0x28
>> [19592.491276] ---[ end trace 98bdb358664246ac ]---
>> [19592.491277] copy_from_usr error
>>
>> //Kernel crash log - End
>>
>>
>>
>> Please let me know, what wrong with my driver?
>>
>>
>> Thanks in advance,
>> Regards,
>> Sateesh
>>
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>


-- 
Regards,
Sateesh.

Issue with copy_from_user() function in kernel 3.6.10

[Kristof Provost]

On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar@redpinesignals.com> wrote:
>      I am declaring an array of 200 bytes as destination in ioctl 
> processing function itself even i am sending 12 bytes from application. 
> Here is the sample code how i am doing in kernel.
> 
>      ioctl_process(struct iwreq *wrq)
>      {
>          uint8 buffer[200];
>          copy_from_user(buffer, wrq->u.data.pointer, 
> wrq->u.data.length); //This line itself is causing the problem for me.
>      }
> 
I'll quote the error message you got here:

> >> "call to ?copy_from_user_overflow? declared with attribute warning:
> >> copy_from_user() buffer size is not provably correct"
> >>

It looks very much like you're taking a user supplied size
(wrq->u.data.length) and trusting it to be less than 200. That's bad.
Don't do that. It'll let any user panic or exploit your system.

A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
probably be sufficient.

(You'll also want to check the return value of copy_from_user().)

Regards,
Kristof

Issue with copy_from_user() function in kernel 3.6.10

[Sudip Mukherjee]

Hi Sateesh
Apart from the simple check as Kristof has suggested , you can also
print the value of wrq->u.data.length to see exactly how much data you
are receiving from the user.

Regards
Sudip

On Fri, Jul 19, 2013 at 9:28 PM, Kristof Provost <kristof@sigsegv.be> wrote:
> On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar@redpinesignals.com> wrote:
>>      I am declaring an array of 200 bytes as destination in ioctl
>> processing function itself even i am sending 12 bytes from application.
>> Here is the sample code how i am doing in kernel.
>>
>>      ioctl_process(struct iwreq *wrq)
>>      {
>>          uint8 buffer[200];
>>          copy_from_user(buffer, wrq->u.data.pointer,
>> wrq->u.data.length); //This line itself is causing the problem for me.
>>      }
>>
> I'll quote the error message you got here:
>
>> >> "call to ?copy_from_user_overflow? declared with attribute warning:
>> >> copy_from_user() buffer size is not provably correct"
>> >>
>
> It looks very much like you're taking a user supplied size
> (wrq->u.data.length) and trusting it to be less than 200. That's bad.
> Don't do that. It'll let any user panic or exploit your system.
>
> A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
> probably be sufficient.
>
> (You'll also want to check the return value of copy_from_user().)
>
> Regards,
> Kristof
>

Issue with copy_from_user() function in kernel 3.6.10

[Sateesh Kumar]

Hi,

         Earlier i used local buffer of array causes issue to me. 
Instead of local buffer array, i declared buffer as a pointer and 
allocating a memory of wrq->u.data.length using kmalloc. This change 
fixed my issue.

Thanks & Regards,
Sateesh.

On 07/20/2013 01:21 PM, Sudip Mukherjee wrote:
> Hi Sateesh
> Apart from the simple check as Kristof has suggested , you can also
> print the value of wrq->u.data.length to see exactly how much data you
> are receiving from the user.
>
> Regards
> Sudip
>
> On Fri, Jul 19, 2013 at 9:28 PM, Kristof Provost <kristof@sigsegv.be> wrote:
>> On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar@redpinesignals.com> wrote:
>>>       I am declaring an array of 200 bytes as destination in ioctl
>>> processing function itself even i am sending 12 bytes from application.
>>> Here is the sample code how i am doing in kernel.
>>>
>>>       ioctl_process(struct iwreq *wrq)
>>>       {
>>>           uint8 buffer[200];
>>>           copy_from_user(buffer, wrq->u.data.pointer,
>>> wrq->u.data.length); //This line itself is causing the problem for me.
>>>       }
>>>
>> I'll quote the error message you got here:
>>
>>>>> "call to ?copy_from_user_overflow? declared with attribute warning:
>>>>> copy_from_user() buffer size is not provably correct"
>>>>>
>> It looks very much like you're taking a user supplied size
>> (wrq->u.data.length) and trusting it to be less than 200. That's bad.
>> Don't do that. It'll let any user panic or exploit your system.
>>
>> A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
>> probably be sufficient.
>>
>> (You'll also want to check the return value of copy_from_user().)
>>
>> Regards,
>> Kristof
>>
>