user_data: using a user supplied offset into an known array give safe data
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 15 Apr 2013 08:02:03 +0000 (15 11:02 +0300)
committerDan Carpenter <dan.carpenter@oracle.com>
Mon, 15 Apr 2013 08:02:03 +0000 (15 11:02 +0300)
The situation here is:

x = trusted_kernel_array[untrusted_user_offset];

At the end then x is trusted kernel data.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
check_user_data.c

index 283868a..b5e3b86 100644 (file)
@@ -156,6 +156,8 @@ int is_user_data(struct expression *expr)
        if (expr->type == EXPR_BINOP) {
                if (is_user_data(expr->left))
                        return 1;
+               if (is_array(expr))
+                       return 0;
                if (is_user_data(expr->right))
                        return 1;
                return 0;