Re: [PATCH] 2.4: fix memory corruption from misinterpretedbad_inode_ops return values

From: dann frazier
Date: Thu Jan 24 2008 - 17:39:32 EST


On Thu, Jan 24, 2008 at 03:06:58PM -0600, Eric Sandeen wrote:
> Willy Tarreau wrote:
> > Hi Dann,
> >
> > On Wed, Jan 23, 2008 at 11:12:12PM -0700, dann frazier wrote:
> >> This is a 2.4 backport of a linux-2.6 change by Eric Sandeen
> >> (commit be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8)
> >>
> >> CVE-2006-5753 was assigned for this issue.
> >>
> >> I've built and boot-tested this, but I'm not sure how to exercise
> >> these codepaths.
> >
> > I have no idea either. Let's consider that if nobody on the list knows
> > how to do so, I'll merge it since you did not notice any regression.
> >
> > Thanks,
> > Willy
> >
>
> Sorry... here you go. Forgot to post this sooner. I hit it with
> this on 2.6.x
>
> #include <stdio.h>
> #include <sys/types.h>
> #include <sys/errno.h>
>
> static int return_EIO(void)
> {
> return -EIO;
> }
>
> int main(int argc, char ** argv)
> {
> ssize_t error;
> ssize_t realerror = -EIO;
> ssize_t (*fn_ptr)(void);
>
> fn_ptr = (void *)return_EIO;
>
> error = (ssize_t)fn_ptr();
> printf("and... error is %ld, should be %ld\n", error, realerror);
> return 0;
> }

Thanks Eric. Sounds like my comment about exercising these code paths
wasn't too clear - the comments with your patch do make the issue
clear, and this program demonstrates the void cast promotion issue
well. I'm just not sure of a good way to demonstrate that my backport
of this patch doesn't break anything for 2.4.

--
dann frazier

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/