[RFC][CFLART] ipmi procfs bogosity

From: viro
Date: Thu Sep 01 2005 - 01:43:24 EST

Next message: Ingo Molnar: "Re: PREEMPT_RT with e1000"
Previous message: Greg Ungerer: "[PATCH]: linux-2.6.13-uc0 (MMU-less support)"
Next in thread: Corey Minyard: "Re: [RFC][CFLART] ipmi procfs bogosity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

drivers/char/ipmi/ipmi_poweroff.c::proc_write_chassctrl()
a) does sscanf on userland pointer
b) does sscanf on array that is not guaranteed to have NUL in it
c) interprets input in incredibly cretinous way:
if strings doesn't start with a decimal number => as if it was "0".
if it starts with decimal number equal to 0 (e.g. is "-0000splat") - as if
it was "0".
if it starts with decimal number equal to 2 (e.g. is "00002FOAD") - as if
it was "2".
otherwise - -EINVAL.
In any case that doesn't end up with -EINVAL, pretend that entire
buffer had been written.

(a) and (b) are immediate bugs; (c) is a valid reason for immediate severe
LARTing of the pervert who had done _that_ in a user-visible API.

Note that API _is_ user-visible, so we can't blindly change it - not without
checking WTF do its users actually write to /proc/ipmi/poweroff_control.

Could somebody comment on the actual uses of that FPOS? My preference would
be to remove the damn thing completely - it's too ugly to live.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: PREEMPT_RT with e1000"
Previous message: Greg Ungerer: "[PATCH]: linux-2.6.13-uc0 (MMU-less support)"
Next in thread: Corey Minyard: "Re: [RFC][CFLART] ipmi procfs bogosity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]