lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <48a616c60706190759r2d659120q2cefc8d9ba8743d2@mail.gmail.com>
Date:	Tue, 19 Jun 2007 10:59:51 -0400
From:	"News Letter" <newletter.yhl@...il.com>
To:	"Jiri Slaby" <jirislaby@...il.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Question about a strange behavior of copy_to_user() in ioctl call

Thank you for your reply. I put the access_ok() as a debugging tool. I
suspected that copy_to_user() failed at the access_ok() test. It is
for debugging.

I did replace copy_from_user() with __copy_from_user(). It gave out
the same result.

On 6/19/07, Jiri Slaby <jirislaby@...il.com> wrote:
> News Letter napsal(a):
> > Hi,
> >
> > I need some help here to understand copy_to_user(). I encountered a
> > strange copy_to_user() behavior when working on CentOS from Redhat
> > (kernel version 2.6.9-22.ELsmp, x86_64 CPU).
> >
> > For a kernel module, I wrote a ioctl call to allow user mode program
> > to get some kernel data information. When a user program called the
> > ioctl, most of the time the ioctl failed with EFAULT, failed at
> > copy_to_user(). It succeeded a few times after a lot of running.
> >
> > Failed message indicated copy_to_user() returned 3840 (which is
> > exactly what is asked to copy, PAGE_SIZE-256). The printed value of
> > the user pointer were identical for successful ioctl calls and failed
> > ioctl calls. Some relevant details are at the end of this email. I
> > tried with calloc(PAGE_SIZE, 1), static buffer and automatic variable
> > on stack in user mode program. They gave the same result.
> >
> > I appreciate any help.
> >
> > Best,
> > Jasper
> >
> > The ioctl call structure is defined as follows,
> >
> > struct ioctl_get_info
> > {
> >   ... /* some other information */
> >   unsigned long user_pointer;
> >   unsigned user_buffer_len;
> >   unsigned returned_len;
> >   ... /* some other information */
> > };
> >
> > Inside kernel module, a page is allocated with :
> >
> > static unsigned char *test_page;
> >
> > static init_test(void)
> > {
> >   test_page = __get_free_pages(GFP_KERNEL, 0);
> >   if (!test_page)
> >         .... /* some error handling */
> > }
> >
> > static int test_ioctl(struct inode * inode, struct file * filp,
> > unsigned int cmd_in, unsigned long arg)
> > {
> >   struct ioctl_get_info igi;
> >   unsigned size;
> >   unsigned long remain;
> >
> >  size = IOC_SIZE(cmd_in);
> >  if (size != sizeof(igi))
> >    ....
> >
> >  ... /* some sanity checking */
> >
> >  if (!access_ok(VERIFY_READ, (char *)arg, size))
> >  {
> >      printk(KERN_INFO "...");
> >      return -EFAULT;
> >   }
> >
> >   if (copy_from_user(&igi, (char *)arg, size) != 0)
> >   {
> >       printk(... ...)
> >       return -EFAULT;
> >   }
> >
> >   if (!access_ok(VERIFY_WRITE, (char *)igi.user_pointer,
> > igi.user_buffer_len))
> >   {
> >       printk(...);
> >       return -EFAULT;
> >   }
> >
> >   size = PAGE_SIZE - 256;
> >   if (size > igi.user_buffer_len)
> >      size = igi.user_buffer_len;
> >   printk("igi.user_pointer %p size %u\n", igi.user_pointer, size);
>
> Weird. Are you sure, that previous access_ok doesn't fail with this 'size', not
> the 'igi.user_buffer_len'? Anyway, you can remove these access_ok checks, since
> they are provided by copy_from/to_user after debugging.
>
> >   if ((remain = copy_to_user((char *)igi.user_pointer, page + 256,
> > size)) != 0)
> >   {
> >      printk ("Failed to copy from user at %p remain %lu asked %u\n",
> > igi.user_pointer, remain, asked);
> > /* failed here */
> >      return -EFAULT;
> >   }
> >    igi.returned_len = size;
> >
> >   /* copy other information */
> >
> >   return 0;
> > }
>
> regards,
> --
> http://www.fi.muni.cz/~xslaby/            Jiri Slaby
> faculty of informatics, masaryk university, brno, cz
> e-mail: jirislaby gmail com, gpg pubkey fingerprint:
> B674 9967 0407 CE62 ACC8  22A0 32CC 55C3 39D4 7A7E
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ