qla_os.c causes proc_file_read: Apparent buffer overflow.

From: Robin Holt
Date: Sat Apr 02 2005 - 11:37:43 EST

Next message: Matthias-Christian Ott: "Re: make OOM more "user friendly""
Previous message: Nate Grey: "Problem mounting dvd if the drive spin down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In qlaxxx/qla_os.c, the copy_mem_info function can cause proc_file_read
to produce an "Apparent buffer overflow" error.

For illistration, lets assume we enter with

info->offset = 0
info->len = PAGE_SIZE (16384 on ia64 where I am seeing this)
info->pos = 0

We pass in a data buffer that is 16386 bytes long.

As a result, the first len check in copy_mem_info will restrict len to
16384. At the end of copy, info->buffer += len will point info->buffer
at the first byte of the next page.

When the qla2x00_proc_info read function returns to proc_file_read it
will check start >= page + PAGE_SIZE in the else case on fs/proc/generic.c
line 158, and produce a warning.

I am not sure what the correct fix is for this. Any guidance would
be appreciated.

Thanks,
Robin Holt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthias-Christian Ott: "Re: make OOM more "user friendly""
Previous message: Nate Grey: "Problem mounting dvd if the drive spin down"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]