Faults in Linux 3.x : Using value from get_user without check as array index

As part of my work, I need to annotate  the reports generated using Coccinelle Scripts as bugs/FPs for recent Linux Kernels, recent as in versions > 3.0 till the current one 3.18.

As I’m reading the reports (newer ones), so today I completed Linux_get.new.org.

This org file has the report where unchecked values obtained from the user level by using get_user function that may be used as array indices or loop bounds. I have wrote some other blog posts too for this case.


What is get_user?

It is used to get a simple variable from user space. This macro copies a single simple variable from user space to kernel space. It supports simple types like char and int, but not larger data types like structures or arrays. For more.

What did I find?

Their was only one TODO and it was a bug. Look at the code snipped below

if (get_user(count, &argp->dest_count)) {
    ret = -EFAULT;
    goto out;
size = offsetof(struct btrfs_ioctl_same_args __user, info[count]);

The value taken from get_user is used as an array index, without any check on it’s range. A clear Bug. It’s still present in current Linux Kernel, so a patch for this case is lined up.

#array-indices, #bugs, #coccinelle, #coccinelle-scripts, #faults, #get_user, #linux-kernel, #linux-kernels