[PATCH] read() from driverfs files can read more bytes then requested

• Next message: Thomas Capricelli: "Re: How to check the kernel compile options ?"
• Previous message: Anthony Campbell: "Re: Total lockups using ext3"
• Next in thread: Patrick Mochel: "Re: [PATCH] read() from driverfs files can read more bytes then requested"
• Reply: Patrick Mochel: "Re: [PATCH] read() from driverfs files can read more bytes then requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

small program below crashes on read() from driverfs file:

int main(void)
{
        int fd, ret;
        char buf[16];

        fd = open("/var/driver/root/pci0/status", 0);
        ret = read(fd, buf, sizeof(buf));
        close(fd);
}

it's because driverfs_read_file() function blindly uses entry->show()
return value without sanity check. As a result userspace process requested
16 bytes, but got ~45 and smashed stack as a bonus. You can also get this
effect pressing F3 in Midnight Commander on driverfs files.

Attached patch adds check that returned value is less then requested
byte count. I know that actual callback function device_read_status()
should also be fixed, but I found this bug after midnight and
decided to sleep a little :)

Best regards.

-- 
Andrey Panin            | Embedded systems software engineer
pazke@orbita1.ru        | PGP key: wwwkeys.eu.pgp.net

• text/plain attachment: patch-driverfs

• application/pgp-signature attachment: stored

• Next message: Thomas Capricelli: "Re: How to check the kernel compile options ?"
• Previous message: Anthony Campbell: "Re: Total lockups using ext3"
• Next in thread: Patrick Mochel: "Re: [PATCH] read() from driverfs files can read more bytes then requested"
• Reply: Patrick Mochel: "Re: [PATCH] read() from driverfs files can read more bytes then requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Feb 07 2002 - 21:00:59 EST