capabilities: simplify bound checks for copy_from_user()

The capabilities syscall has a copy_from_user() call where gcc currently
cannot prove to itself that the copy is always within bounds.

This patch adds a very explicity bound check to prove to gcc that this
copy_from_user cannot overflow its destination buffer.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/kernel/capability.c b/kernel/capability.c
index 4e17041963f57073a4fb3836c415b9a681e40383..c2316d3fa0943004ff7a46ae2b058fc745d1fc62 100644 (file)
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -238,7 +238,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
 SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
 {
        struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
-       unsigned i, tocopy;
+       unsigned i, tocopy, copybytes;
        kernel_cap_t inheritable, permitted, effective;
        struct cred *new;
        int ret;
@@ -255,8 +255,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
        if (pid != 0 && pid != task_pid_vnr(current))
                return -EPERM;
 
-       if (copy_from_user(&kdata, data,
-                          tocopy * sizeof(struct __user_cap_data_struct)))
+       copybytes = tocopy * sizeof(struct __user_cap_data_struct);
+       if (copybytes > sizeof(kdata))
+               return -EFAULT;
+
+       if (copy_from_user(&kdata, data, copybytes))
                return -EFAULT;
 
        for (i = 0; i < tocopy; i++) {