Re: [PATCH] 2.4: fix memory corruption from misinterpreted bad_inode_opsreturn values

From: Eric Sandeen
Date: Thu Jan 24 2008 - 16:07:28 EST


Willy Tarreau wrote:
> Hi Dann,
>
> On Wed, Jan 23, 2008 at 11:12:12PM -0700, dann frazier wrote:
>> This is a 2.4 backport of a linux-2.6 change by Eric Sandeen
>> (commit be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8)
>>
>> CVE-2006-5753 was assigned for this issue.
>>
>> I've built and boot-tested this, but I'm not sure how to exercise
>> these codepaths.
>
> I have no idea either. Let's consider that if nobody on the list knows
> how to do so, I'll merge it since you did not notice any regression.
>
> Thanks,
> Willy
>

Sorry... here you go. Forgot to post this sooner. I hit it with
this on 2.6.x


#include <stdio.h>
#include <sys/types.h>
#include <sys/errno.h>

static int return_EIO(void)
{
return -EIO;
}

int main(int argc, char ** argv)
{
ssize_t error;
ssize_t realerror = -EIO;
ssize_t (*fn_ptr)(void);

fn_ptr = (void *)return_EIO;

error = (ssize_t)fn_ptr();
printf("and... error is %ld, should be %ld\n", error, realerror);
return 0;
}

-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/