On Thu, 7 Feb 2002, Andrey Panin wrote:
> Hi all,
>
> small program below crashes on read() from driverfs file:
>
> int main(void)
> {
> int fd, ret;
> char buf[16];
>
> fd = open("/var/driver/root/pci0/status", 0);
> ret = read(fd, buf, sizeof(buf));
> close(fd);
> }
>
> it's because driverfs_read_file() function blindly uses entry->show()
> return value without sanity check. As a result userspace process requested
> 16 bytes, but got ~45 and smashed stack as a bonus. You can also get this
> effect pressing F3 in Midnight Commander on driverfs files.
>
> Attached patch adds check that returned value is less then requested
> byte count. I know that actual callback function device_read_status()
> should also be fixed, but I found this bug after midnight and
> decided to sleep a little :)
That sanity check was in there, once upon a time. However, in moving the
weight from the driver callbacks to the driverfs read_file() and
write_file(), it must have got dropped...
Thank you. It's been applied and will be pushed forward.
-pat
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Feb 07 2002 - 21:01:03 EST