Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 825332e4 authored by Arjan van de Ven's avatar Arjan van de Ven Committed by James Morris
Browse files

capabilities: simplify bound checks for copy_from_user() 



The capabilities syscall has a copy_from_user() call where gcc currently
cannot prove to itself that the copy is always within bounds.

This patch adds a very explicity bound check to prove to gcc that this
copy_from_user cannot overflow its destination buffer.

Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent a27ab9f2

kernel/capability.c

+6 −3
Original line number Diff line number Diff line
@@ -238,7 +238,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) 
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)

{

	struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];

	unsigned i, tocopy;

	unsigned i, tocopy, copybytes;

	kernel_cap_t inheritable, permitted, effective;

	struct cred *new;

	int ret;
@@ -255,8 +255,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) 
	if (pid != 0 && pid != task_pid_vnr(current))

		return -EPERM;



	if (copy_from_user(&kdata, data,

			   tocopy * sizeof(struct __user_cap_data_struct)))

	copybytes = tocopy * sizeof(struct __user_cap_data_struct);

	if (copybytes > sizeof(kdata))

		return -EFAULT;



	if (copy_from_user(&kdata, data, copybytes))

		return -EFAULT;



	for (i = 0; i < tocopy; i++) {