Re: [PATCH] Fix NR_KEYS off-by-one error
From: Vojtech Pavlik
Date: Tue Jul 27 2004 - 08:46:50 EST
On Mon, Jul 26, 2004 at 03:43:27PM -0700, Andrew Morton wrote:
> OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx> wrote:
> >
> > Andries Brouwer <aebr@xxxxxxxxxx> writes:
> >
> > > On Sat, Jul 17, 2004 at 01:35:59AM +0900, OGAWA Hirofumi wrote:
> > >
> > > :: KDGKBENT ioctl can use 256 entries (0-255), but it was defined as
> > > :: key_map[NR_KEYS] (NR_KEYS == 255). The code seems also thinking it's 256.
> > > ::
> > > :: key_map[0] = U(K_ALLOCATED);
> > > :: for (j = 1; j < NR_KEYS; j++)
> > > :: key_map[j] = U(K_HOLE);
> > >
> > > I think the code has no opinion. It was 128 in 2.4.
> > > I am not aware of assumptions on NR_KEYS.
> > > So, do not think this is an off-by-one error.
> >
> > My point is that key_map is 0-254 array. But KDGKBENT uses 255
> >
> > case KDGKBENT:
> > key_map = key_maps[s];
> > if (key_map) {
> > val = U(key_map[i]);
> > if (kbd->kbdmode != VC_UNICODE && KTYP(val) >= NR_TYPES)
> > val = K_HOLE;
> > } else
> > val = (i ? K_HOLE : K_NOSUCHMAP);
> > return put_user(val, &user_kbe->kb_value);
> >
>
> This all seems a bit inconclusive. Do we proceed with the original patch
> or not? If not, how do we fix the overflow which Hirofumi has identified?
I think we should check the value in the ioctl, regardless of what's
NR_KEYS defined to.
--
Vojtech Pavlik
SuSE Labs, SuSE CR
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/