Re: buffer overflow in /proc/sys/sunrpc/transports

From: Cyrill Gorcunov
Date: Sat Aug 30 2008 - 16:29:39 EST


[Vegard Nossum - Sat, Aug 30, 2008 at 10:13:23PM +0200]
| On Sat, Aug 30, 2008 at 10:04 PM, Cyrill Gorcunov <gorcunov@xxxxxxxxx> wrote:
| > [Vegard Nossum - Sat, Aug 30, 2008 at 09:59:38PM +0200]
| > | On Sat, Aug 30, 2008 at 9:56 PM, Cyrill Gorcunov <gorcunov@xxxxxxxxx> wrote:
| > | > | BTW, look at this:
| > | > |
| > | > | $ od -A x -t x1z /proc/sys/sunrpc/transports
| > | > | 000000 74 63 70 20 31 30 34 38 35 37 36 0a 75 64 70 20 >tcp 1048576.udp <
| > | > | 000010 33 32 37 36 38 0a 00 00 00 00 00 00 00 00 00 00 >32768...........<
| > | > | 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >................<
| > | > | *
| > | > | 0003e0 00 00 00 00 00 00 00 00 00 00 >..........<
| > | > | 0003ea
| > | > |
| > | > | ...and:
| > | > |
| > | > | $ strace -e trace=read cat /proc/sys/sunrpc/transports > /dev/null
| > | > | read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@G\316E4\0\0\0"...,
| > | > | 512) = 512
| > | > | read(3, "tcp 1048576\nudp 32768\n\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4074
| > | > | read(3, "", 4096) = 0
| > | > |
| > | > | ...why does it have a huge return value? The output is only about 40
| > | > | bytes... why add all the \0? Would your patch also fix this?
| > | >
| > | > I think it's from strace side - it pass 4096 zero'ed buffer.
| > |
| > | "cat" passed buffer of size 4096, yes. But read() still returned 4074.
| > | It should have returned 38 or so.
| > |
| > | > At least I don't see additional issues from kernel side in buffer
| > | > filling - except from svc_print_xprts() which walk over list.
| > | > But I think sunpc guys should know details :)
| > | > Will send short-fix patch soon :)
| > |
| > | It looks like it's returning (sizeof(buffer) - x) where it really
| > | should be returning x. Maybe it's this one that should be different?
| > |
| > | *lenp -= len;
| > |
| >
| > yes, but this is just a side effect, if we fix main error - it should
| > resolve this problem too. Did you try the fix I sent a few msgs ago?
| > (I don't have sunrpc on my machine)
|
| Sorry, I did it now :-)
|
| $ uname -a
| Linux grianne 2.6.27-rc5-00006-gbef69ea-dirty #4 SMP PREEMPT Sat
| Aug 30 22:07:18 CEST 2008 i686 i686 i386 GNU/Linux
|
| $ strace -e trace=read cat /proc/sys/sunrpc/transports > /dev/null
| read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320
| \265\0004\0\0\0"..., 512) = 512
| read(3, "tcp 1048576\nudp 32768\n\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4074
| read(3, "", 4096) = 0
|
| So that problem seems to remain.
|
|
| Vegard

Vegard, are you sure you test it with this patch (a bit updated)?

|
| --
| "The animistic metaphor of the bug that maliciously sneaked in while
| the programmer was not looking is intellectually dishonest as it
| disguises that the error is the programmer's own creation."
| -- E. W. Dijkstra, EWD1036
|
- Cyrill -
---

Index: linux-2.6.git/net/sunrpc/sysctl.c
===================================================================
--- linux-2.6.git.orig/net/sunrpc/sysctl.c 2008-07-20 11:40:14.000000000 +0400
+++ linux-2.6.git/net/sunrpc/sysctl.c 2008-08-31 00:19:42.000000000 +0400
@@ -69,9 +69,10 @@ static int proc_do_xprt(ctl_table *table
return -EINVAL;
else {
len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
+ if (*lenp < len)
+ len = *lenp;
if (!access_ok(VERIFY_WRITE, buffer, len))
return -EFAULT;
-
if (__copy_to_user(buffer, tmpbuf, len))
return -EFAULT;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/