| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Sep 2006 18:22:14 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: akpm@...l.org, linux-kernel@...r.kernel.org Subject: Industrial device driver uio/uio_* This passed me by while I was away so I only saw it to review in mm6. It looks like it has a few problems... uio_lseek locking ? uio_read uses f->f_pos which it should never do ditto uio_write ... The uio_read/write functions can race seek or other read/write The uio_read/write functions do signed maths checks on unsigned types (size_t) so the count check fails. Partially completed I/O returns -EFAULT, should return the length transferred OK The *ppos adjustment means you can get f_pos to interestingly unsafe values. Generally speaking do loff_t pos = *ppos; do stuff with pos pos += movement; *ppos = pos; If idev->virtaddr is an mmio object you can't use copy_from/to_user on it uio_event is based on sizeof(int) so makes 32bit compat code insanely hard event_poll is wrong - poll methods shouldn't error just return "ready" idev->event_listener appears to have no locking versus the irq handler and the like. Anyone appears to be able to select any process as the task to signal or out of range or negative values I've not begun to look at uio_base.c in detail but it seems a lot of code to do very little. That said I can see the problem it is trying to solve, I'm just not sure it helps as is. Alan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists