[PATCH] read() from driverfs files can read more bytes then requested

Andrey Panin (pazke@orbita1.ru)
Thu, 7 Feb 2002 12:10:53 +0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Anthony Campbell: "Re: Total lockups using ext3"
Previous message: Andres Salomon: "D state processes in 2.4.18-pre7-ac3"

--bajzpZikUji1w+G9
Content-Type: multipart/mixed; boundary="c3bfwLpm8qysLVxt"
Content-Disposition: inline

--c3bfwLpm8qysLVxt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all,

small program below crashes on read() from driverfs file:

int main(void)
{
int fd, ret;
char buf[16];

fd =3D open("/var/driver/root/pci0/status", 0);
ret =3D read(fd, buf, sizeof(buf));
close(fd);
}

it's because driverfs_read_file() function blindly uses entry->show()
return value without sanity check. As a result userspace process requested=
=20
16 bytes, but got ~45 and smashed stack as a bonus. You can also get this=
=20
effect pressing F3 in Midnight Commander on driverfs files.

Attached patch adds check that returned value is less then requested=20
byte count. I know that actual callback function device_read_status()
should also be fixed, but I found this bug after midnight and=20
decided to sleep a little :)

Best regards.

--=20
Andrey Panin | Embedded systems software engineer
pazke@orbita1.ru | PGP key: wwwkeys.eu.pgp.net
--c3bfwLpm8qysLVxt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-driverfs
Content-Transfer-Encoding: quoted-printable

diff -urN -X /usr/dontdiff /linux.2.5.3-dj3/fs/driverfs/inode.c /linux/fs/d=
riverfs/inode.c
--- /linux.2.5.3-dj3/fs/driverfs/inode.c Wed Feb 6 23:42:06 2002
+++ /linux/fs/driverfs/inode.c Wed Feb 6 23:34:05 2002
@@ -255,6 +255,9 @@
=20
len =3D entry->show(dev,page,count,*ppos);
=20
+ if (len > count)
+ len =3D count;
+
if (len <=3D 0) {
if (len < 0)
retval =3D len;

--c3bfwLpm8qysLVxt--

--bajzpZikUji1w+G9
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8YkSdBm4rlNOo3YgRAhEYAJ4zj2kpr4SzpNgYTW9NiAM7mDrN9wCeJGUk
/8+MhEHWORbuK7ur+p2R7Zs=
=9f53
-----END PGP SIGNATURE-----

--bajzpZikUji1w+G9--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Anthony Campbell: "Re: Total lockups using ext3"
Previous message: Andres Salomon: "D state processes in 2.4.18-pre7-ac3"