lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 12 Nov 2007 23:08:10 +0900
From:	Tejun Heo <teheo@...e.de>
To:	Miao Xie <miaox@...fujitsu.com>
Cc:	gregkh@...e.de, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] sysfs: fix  off-by-one error in fill_read_buffer

Miao Xie wrote:
> Hi,everyone.
>   I found that there is a off-by-one problem in the following code.
> 
> Version:    2.6.24-rc2
> File:        fs/sysfs/file.c:118-122
> Function:    fill_read_buffer
> --------------------------------------------------------------------
>     count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
> 
>     sysfs_put_active_two(attr_sd);
> 
>     BUG_ON(count > (ssize_t)PAGE_SIZE);
> --------------------------------------------------------------------
> Because according to the specification of the sysfs and the implement of
> the
> show methods, the show methods return the number of bytes which would be
> generated for the given input, excluding the trailing null.So if the return
> value of the show methods equals PAGE_SIZE - 1, the buffer is full in fact.
> And if the return value equals PAGE_SIZE, the resulting string was already
> truncated,or buffer overflow occurred.
> 
> This patch fixes an off-by-one error in fill_read_buffer.
> 
> Signed-off-by: Miao Xie <miaox@...fujitsu.com>

It isn't strictly a bug.  If the ->show() op fills full PAGE_SIZE and
returns PAGE_SIZE, the user will get full PAGE_SIZE bytes correctly, so
it will work.  However, considering normal use cases, return value of
PAGE_SIZE very likely indicates an error condition, so considering it a
BUG condition is a good idea.

Miao, can you please note that the code works fine with PAGE_SIZE return
but it's likely to indicate truncated result or overflow in normal use
cases as a comment on top of the BUG_ON()?

Thanks.

-- 
tejun
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ