TICS Coding Standard Viewer 
TIOBE Software Quality Framework
Print-friendly version
©TIOBE Software www.tiobe.com
 
C++ Coding Standard
Search

Rule:  EXT05-CPPChecked automatically with code checker

Synopsis:A user-land pointer is dereferenced without safety checks in the kernel
Language:C++
Severity Level:3
Category:Security


Description:

Be aware of cases where an operating system kernel unsafely dereferences user pointers. Operating systems cannot directly dereference user-space pointers safely. Instead, they must access the pointed-to data using special "paranoid" routines (for example: using the copyin() and copyout() functions on BSD derived systems, or the copy_from_user() and copy_to_user() functions on Linux derived systems). A single unsafe dereference can crash the system, allow unauthorized reading/writing of kernel memory, or give a malicious party complete system control.

The following example has a defect because pstr is correctly copied in from user space with the copyin() method, but its field ps_argvstr, another pointer to user space memory, is unsafely dereferenced by the expression pstr.ps_argvstr[i].

void user_pointer_example() { 
    error = copyin((void *)p->p_sysent->sv_psstrings, &pstr, sizeof(pstr));
    if (error)
        return (error);
    for (i = 0; i < pstr.ps_nargvstr; i++) {
        sbuf_copyin(sb, pstr.ps_argvstr[i], 0);
        sbuf_printf(sb, "%c", '\0');
    }
}