lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1157995334.23085.188.camel@localhost.localdomain>
Date:	Mon, 11 Sep 2006 18:22:14 +0100
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	akpm@...l.org, linux-kernel@...r.kernel.org
Subject: Industrial device driver uio/uio_*

This passed me by while I was away so I only saw it to review in mm6. It
looks like it has a few problems...


uio_lseek locking ?

uio_read uses f->f_pos which it should never do
ditto uio_write ...

The uio_read/write functions can race seek or other read/write

The uio_read/write functions do signed maths checks on unsigned types
(size_t) so the count check fails.

Partially completed I/O returns -EFAULT, should return the length
transferred OK

The *ppos adjustment means you can get f_pos to interestingly unsafe
values. Generally speaking do

	loff_t pos = *ppos;

	do stuff with pos

	pos += movement;
	*ppos = pos;


If idev->virtaddr is an mmio object you can't use copy_from/to_user on
it

uio_event is based on sizeof(int) so makes 32bit compat code insanely
hard

event_poll is wrong - poll methods shouldn't error just return "ready"

idev->event_listener appears to have no locking versus the irq handler
and the like.

Anyone appears to be able to select any process as the task to signal or
out of range or negative values

I've not begun to look at uio_base.c in detail but it seems a lot of
code to do very little. That said I can see the problem it is trying to
solve, I'm just not sure it helps as is.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ