* Issue with copy_from_user() function in kernel 3.6.10
@ 2013-07-19 14:18 Sateesh Kumar
2013-07-19 14:56 ` Sudip Mukherjee
0 siblings, 1 reply; 6+ messages in thread
From: Sateesh Kumar @ 2013-07-19 14:18 UTC (permalink / raw)
To: kernelnewbies
Dear Experts,
I am using the kernel 3.6.10 for my driver development. When I compiled
the code I am getting the following warning. I am facing the same issue
with 3.5.4 kernel.
"call to ?copy_from_user_overflow? declared with attribute warning:
copy_from_user() buffer size is not provably correct"
When I try to install the module, I am facing the kernel crash. Here is
the crash log.
//Kernel crash log - Start
Call Trace:
[19592.491229] [<c044bbf2>] warn_slowpath_common+0x72/0xa0
[19592.491233] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
[19592.491236] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
[19592.491241] [<f86f54c0>] ? jtag_usb_card_read+0x70/0x70 [usb_jtag]
[19592.491244] [<c044bcc3>] warn_slowpath_fmt+0x33/0x40
[19592.491247] [<c06882b7>] copy_from_user_overflow+0x27/0x30
[19592.491251] [<f86f54ec>] jtag_usb_ioctl+0x2c/0x80 [usb_jtag]
[19592.491256] [<c0565dea>] do_vfs_ioctl+0x7a/0x590
[19592.491259] [<c055f41b>] ? putname+0x2b/0x40
[19592.491262] [<c055f41b>] ? putname+0x2b/0x40
[19592.491265] [<c0555238>] ? do_sys_open+0x158/0x1c0
[19592.491269] [<c0566368>] sys_ioctl+0x68/0x80
[19592.491274] [<c0980cdf>] sysenter_do_call+0x12/0x28
[19592.491276] ---[ end trace 98bdb358664246ac ]---
[19592.491277] copy_from_usr error
//Kernel crash log - End
Please let me know, what wrong with my driver?
Thanks in advance,
Regards,
Sateesh
^ permalink raw reply [flat|nested] 6+ messages in thread
* Issue with copy_from_user() function in kernel 3.6.10
2013-07-19 14:18 Issue with copy_from_user() function in kernel 3.6.10 Sateesh Kumar
@ 2013-07-19 14:56 ` Sudip Mukherjee
2013-07-19 15:50 ` Sateesh Kumar
0 siblings, 1 reply; 6+ messages in thread
From: Sudip Mukherjee @ 2013-07-19 14:56 UTC (permalink / raw)
To: kernelnewbies
Hi Santosh
Does your destination buffer have sufficient size to hold the data ?
Regards
Sudip
On Fri, Jul 19, 2013 at 7:48 PM, Sateesh Kumar
<sateesh.kumar@redpinesignals.com> wrote:
> Dear Experts,
>
> I am using the kernel 3.6.10 for my driver development. When I compiled
> the code I am getting the following warning. I am facing the same issue
> with 3.5.4 kernel.
>
> "call to ?copy_from_user_overflow? declared with attribute warning:
> copy_from_user() buffer size is not provably correct"
>
> When I try to install the module, I am facing the kernel crash. Here is
> the crash log.
>
>
> //Kernel crash log - Start
>
> Call Trace:
> [19592.491229] [<c044bbf2>] warn_slowpath_common+0x72/0xa0
> [19592.491233] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
> [19592.491236] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
> [19592.491241] [<f86f54c0>] ? jtag_usb_card_read+0x70/0x70 [usb_jtag]
> [19592.491244] [<c044bcc3>] warn_slowpath_fmt+0x33/0x40
> [19592.491247] [<c06882b7>] copy_from_user_overflow+0x27/0x30
> [19592.491251] [<f86f54ec>] jtag_usb_ioctl+0x2c/0x80 [usb_jtag]
> [19592.491256] [<c0565dea>] do_vfs_ioctl+0x7a/0x590
> [19592.491259] [<c055f41b>] ? putname+0x2b/0x40
> [19592.491262] [<c055f41b>] ? putname+0x2b/0x40
> [19592.491265] [<c0555238>] ? do_sys_open+0x158/0x1c0
> [19592.491269] [<c0566368>] sys_ioctl+0x68/0x80
> [19592.491274] [<c0980cdf>] sysenter_do_call+0x12/0x28
> [19592.491276] ---[ end trace 98bdb358664246ac ]---
> [19592.491277] copy_from_usr error
>
> //Kernel crash log - End
>
>
>
> Please let me know, what wrong with my driver?
>
>
> Thanks in advance,
> Regards,
> Sateesh
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
^ permalink raw reply [flat|nested] 6+ messages in thread
* Issue with copy_from_user() function in kernel 3.6.10
2013-07-19 14:56 ` Sudip Mukherjee
@ 2013-07-19 15:50 ` Sateesh Kumar
2013-07-19 15:58 ` Kristof Provost
0 siblings, 1 reply; 6+ messages in thread
From: Sateesh Kumar @ 2013-07-19 15:50 UTC (permalink / raw)
To: kernelnewbies
Hi sudip,
I am declaring an array of 200 bytes as destination in ioctl
processing function itself even i am sending 12 bytes from application.
Here is the sample code how i am doing in kernel.
ioctl_process(struct iwreq *wrq)
{
uint8 buffer[200];
copy_from_user(buffer, wrq->u.data.pointer,
wrq->u.data.length); //This line itself is causing the problem for me.
}
Regards,
Sateesh.
On 07/19/2013 08:26 PM, Sudip Mukherjee wrote:
> Hi Santosh
> Does your destination buffer have sufficient size to hold the data ?
>
> Regards
> Sudip
>
> On Fri, Jul 19, 2013 at 7:48 PM, Sateesh Kumar
> <sateesh.kumar@redpinesignals.com> wrote:
>> Dear Experts,
>>
>> I am using the kernel 3.6.10 for my driver development. When I compiled
>> the code I am getting the following warning. I am facing the same issue
>> with 3.5.4 kernel.
>>
>> "call to ?copy_from_user_overflow? declared with attribute warning:
>> copy_from_user() buffer size is not provably correct"
>>
>> When I try to install the module, I am facing the kernel crash. Here is
>> the crash log.
>>
>>
>> //Kernel crash log - Start
>>
>> Call Trace:
>> [19592.491229] [<c044bbf2>] warn_slowpath_common+0x72/0xa0
>> [19592.491233] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
>> [19592.491236] [<c06882b7>] ? copy_from_user_overflow+0x27/0x30
>> [19592.491241] [<f86f54c0>] ? jtag_usb_card_read+0x70/0x70 [usb_jtag]
>> [19592.491244] [<c044bcc3>] warn_slowpath_fmt+0x33/0x40
>> [19592.491247] [<c06882b7>] copy_from_user_overflow+0x27/0x30
>> [19592.491251] [<f86f54ec>] jtag_usb_ioctl+0x2c/0x80 [usb_jtag]
>> [19592.491256] [<c0565dea>] do_vfs_ioctl+0x7a/0x590
>> [19592.491259] [<c055f41b>] ? putname+0x2b/0x40
>> [19592.491262] [<c055f41b>] ? putname+0x2b/0x40
>> [19592.491265] [<c0555238>] ? do_sys_open+0x158/0x1c0
>> [19592.491269] [<c0566368>] sys_ioctl+0x68/0x80
>> [19592.491274] [<c0980cdf>] sysenter_do_call+0x12/0x28
>> [19592.491276] ---[ end trace 98bdb358664246ac ]---
>> [19592.491277] copy_from_usr error
>>
>> //Kernel crash log - End
>>
>>
>>
>> Please let me know, what wrong with my driver?
>>
>>
>> Thanks in advance,
>> Regards,
>> Sateesh
>>
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
--
Regards,
Sateesh.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Issue with copy_from_user() function in kernel 3.6.10
2013-07-19 15:50 ` Sateesh Kumar
@ 2013-07-19 15:58 ` Kristof Provost
2013-07-20 7:51 ` Sudip Mukherjee
0 siblings, 1 reply; 6+ messages in thread
From: Kristof Provost @ 2013-07-19 15:58 UTC (permalink / raw)
To: kernelnewbies
On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar@redpinesignals.com> wrote:
> I am declaring an array of 200 bytes as destination in ioctl
> processing function itself even i am sending 12 bytes from application.
> Here is the sample code how i am doing in kernel.
>
> ioctl_process(struct iwreq *wrq)
> {
> uint8 buffer[200];
> copy_from_user(buffer, wrq->u.data.pointer,
> wrq->u.data.length); //This line itself is causing the problem for me.
> }
>
I'll quote the error message you got here:
> >> "call to ?copy_from_user_overflow? declared with attribute warning:
> >> copy_from_user() buffer size is not provably correct"
> >>
It looks very much like you're taking a user supplied size
(wrq->u.data.length) and trusting it to be less than 200. That's bad.
Don't do that. It'll let any user panic or exploit your system.
A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
probably be sufficient.
(You'll also want to check the return value of copy_from_user().)
Regards,
Kristof
^ permalink raw reply [flat|nested] 6+ messages in thread
* Issue with copy_from_user() function in kernel 3.6.10
2013-07-19 15:58 ` Kristof Provost
@ 2013-07-20 7:51 ` Sudip Mukherjee
2013-07-26 13:18 ` Sateesh Kumar
0 siblings, 1 reply; 6+ messages in thread
From: Sudip Mukherjee @ 2013-07-20 7:51 UTC (permalink / raw)
To: kernelnewbies
Hi Sateesh
Apart from the simple check as Kristof has suggested , you can also
print the value of wrq->u.data.length to see exactly how much data you
are receiving from the user.
Regards
Sudip
On Fri, Jul 19, 2013 at 9:28 PM, Kristof Provost <kristof@sigsegv.be> wrote:
> On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar@redpinesignals.com> wrote:
>> I am declaring an array of 200 bytes as destination in ioctl
>> processing function itself even i am sending 12 bytes from application.
>> Here is the sample code how i am doing in kernel.
>>
>> ioctl_process(struct iwreq *wrq)
>> {
>> uint8 buffer[200];
>> copy_from_user(buffer, wrq->u.data.pointer,
>> wrq->u.data.length); //This line itself is causing the problem for me.
>> }
>>
> I'll quote the error message you got here:
>
>> >> "call to ?copy_from_user_overflow? declared with attribute warning:
>> >> copy_from_user() buffer size is not provably correct"
>> >>
>
> It looks very much like you're taking a user supplied size
> (wrq->u.data.length) and trusting it to be less than 200. That's bad.
> Don't do that. It'll let any user panic or exploit your system.
>
> A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
> probably be sufficient.
>
> (You'll also want to check the return value of copy_from_user().)
>
> Regards,
> Kristof
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Issue with copy_from_user() function in kernel 3.6.10
2013-07-20 7:51 ` Sudip Mukherjee
@ 2013-07-26 13:18 ` Sateesh Kumar
0 siblings, 0 replies; 6+ messages in thread
From: Sateesh Kumar @ 2013-07-26 13:18 UTC (permalink / raw)
To: kernelnewbies
Hi,
Earlier i used local buffer of array causes issue to me.
Instead of local buffer array, i declared buffer as a pointer and
allocating a memory of wrq->u.data.length using kmalloc. This change
fixed my issue.
Thanks & Regards,
Sateesh.
On 07/20/2013 01:21 PM, Sudip Mukherjee wrote:
> Hi Sateesh
> Apart from the simple check as Kristof has suggested , you can also
> print the value of wrq->u.data.length to see exactly how much data you
> are receiving from the user.
>
> Regards
> Sudip
>
> On Fri, Jul 19, 2013 at 9:28 PM, Kristof Provost <kristof@sigsegv.be> wrote:
>> On 2013-07-19 21:20:07 (+0530), Sateesh Kumar <sateesh.kumar@redpinesignals.com> wrote:
>>> I am declaring an array of 200 bytes as destination in ioctl
>>> processing function itself even i am sending 12 bytes from application.
>>> Here is the sample code how i am doing in kernel.
>>>
>>> ioctl_process(struct iwreq *wrq)
>>> {
>>> uint8 buffer[200];
>>> copy_from_user(buffer, wrq->u.data.pointer,
>>> wrq->u.data.length); //This line itself is causing the problem for me.
>>> }
>>>
>> I'll quote the error message you got here:
>>
>>>>> "call to ?copy_from_user_overflow? declared with attribute warning:
>>>>> copy_from_user() buffer size is not provably correct"
>>>>>
>> It looks very much like you're taking a user supplied size
>> (wrq->u.data.length) and trusting it to be less than 200. That's bad.
>> Don't do that. It'll let any user panic or exploit your system.
>>
>> A simple check (if wrq->u.data.length > 200 return -E2BIG;) would
>> probably be sufficient.
>>
>> (You'll also want to check the return value of copy_from_user().)
>>
>> Regards,
>> Kristof
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-07-26 13:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-19 14:18 Issue with copy_from_user() function in kernel 3.6.10 Sateesh Kumar
2013-07-19 14:56 ` Sudip Mukherjee
2013-07-19 15:50 ` Sateesh Kumar
2013-07-19 15:58 ` Kristof Provost
2013-07-20 7:51 ` Sudip Mukherjee
2013-07-26 13:18 ` Sateesh Kumar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.