Re: [PATCH] Fix NR_KEYS off-by-one error
From: Andrew Morton
Date: Mon Jul 26 2004 - 17:46:24 EST
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx> wrote:
>
> Andries Brouwer <aebr@xxxxxxxxxx> writes:
>
> > On Sat, Jul 17, 2004 at 01:35:59AM +0900, OGAWA Hirofumi wrote:
> >
> > :: KDGKBENT ioctl can use 256 entries (0-255), but it was defined as
> > :: key_map[NR_KEYS] (NR_KEYS == 255). The code seems also thinking it's 256.
> > ::
> > :: key_map[0] = U(K_ALLOCATED);
> > :: for (j = 1; j < NR_KEYS; j++)
> > :: key_map[j] = U(K_HOLE);
> >
> > I think the code has no opinion. It was 128 in 2.4.
> > I am not aware of assumptions on NR_KEYS.
> > So, do not think this is an off-by-one error.
>
> My point is that key_map is 0-254 array. But KDGKBENT uses 255
>
> case KDGKBENT:
> key_map = key_maps[s];
> if (key_map) {
> val = U(key_map[i]);
> if (kbd->kbdmode != VC_UNICODE && KTYP(val) >= NR_TYPES)
> val = K_HOLE;
> } else
> val = (i ? K_HOLE : K_NOSUCHMAP);
> return put_user(val, &user_kbe->kb_value);
>
This all seems a bit inconclusive. Do we proceed with the original patch
or not? If not, how do we fix the overflow which Hirofumi has identified?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/