Faults in Linux Kernel 3.x : Unchecked value from copy_from_user used as loop index

As part of my work, I need to annotate  the reports generated using Coccinelle Scripts as bugs/FPs for recent Linux Kernels, recent as in versions > 3.0 till the current one 3.18.

So while reading the reports (newer ones) I first completed Linux_copy.new.org.

It has reports for pattern where unchecked values obtained from the user level that may be used as array indices or loop bounds.

It has reports where copy_from_user is used.

What is copy_from_user?

It is to copy a block of data from user space. Copy data from user space to kernel space.

Returns number of bytes that could not be copied. On success, this will be zero. If some data could not be copied, this function will pad the copied data to the requested size using zero bytes.

More here.

As I described here also, using values taken from user as array or loop bounds without check, is bad.

There was only one TODO in this org file.

What is it? A FP or a Bug?

Oh, it is a bug.  They have used value taken form user using copy_from_user as array bound.

I’ll be sending patches to fix these issues once I’m done with the work of annonating the reports.

#array-indices, #bugs, #coccienlle, #coccinelle-scripts, #faults, #linux-kernel-bugs, #linux-kernels, #programming