Re: Bogus buffer length check in linux-2.6.11 read()

From: Tom Felker
Date: Tue Mar 15 2005 - 21:58:52 EST

On Tuesday 15 March 2005 11:59 am, linux-os wrote:
> The attached file shows that the kernel thinks it's doing
> something helpful by checking the length of the input
> buffer for a read(). It will return "Bad Address" until
> the length is 1632 bytes. Apparently the kernel thinks
> 1632 is a good length!
> Did anybody consider the overhead necessary to do this
> and the fact that the kernel has no way of knowing if
> the pointer to the buffer is valid until it actually
> does the write. What was wrong with copy_to_user()?
> Why is there the additional bogus check?

I don't think that's what's happening. The kernel is perfectly happy to read
data into any virtual address range that your process can legally write to -
this includes any part of the heap and any part of the stack. The kernel
can't check whether writing to the given address would clobber the stack or
heap - it's your memory, you manage it. The kernel's notion of an "invalid
address" is very simple, and doesn't include every address that you would
consider invalid from a C perspective.

So what's probably happening is that your stack is (1632+256) bytes tall,
including the buffer you allocated. (Stack grows downward on i386.) So
ideally you read less than 256 bytes. If you read more than 256 but less
than 1888 bytes, the read would damage other elements on the stack, but it is
OK as far as the kernel is concerned. But if you read more than that, you're
asking the kernel to write to an address that is higher than the highest
address of the stack (the address of the bottom element), and this address
isn't mapped into your process, so you get EINVAL.

If you were to type more than 256 (but less than 1888) characters before
pressing enter, the read would silently overflow the buffer, thus clobbering
the stack, including the return address of main(). So when main tried to
return, you'd get a segfault. Somebody with assembly skills could probably
craft a string which, when your program reads it, would take control of the

Tom Felker, <tcfelker@xxxxxxxx>
<> - Stop fiddling with the volume knob.

No army can withstand the strength of an idea whose time has come.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at