lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGk-QBuo_Dye6XKXS3OgYMW_ed5qjgaho7iMCTCug+C=ptJf3g@mail.gmail.com>
Date:	Wed, 26 Aug 2015 17:30:54 +0800
From:	Sean Fu <fxinrong@...il.com>
To:	Heinrich Schuchardt <xypron.glpk@....de>
Cc:	Andrey Ryabinin <ryabinin.a.a@...il.com>,
	Ulrich Obergfell <uobergfe@...hat.com>,
	"Steven Rostedt (Red Hat)" <rostedt@...dmis.org>,
	Prarit Bhargava <prarit@...hat.com>,
	Eric B Munson <emunson@...mai.com>,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
	Johannes Weiner <hannes@...xchg.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Don Zickus <dzickus@...hat.com>,
	David Rientjes <rientjes@...gle.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kernel/sysctl.c: If "count" including the terminating
 byte '\0' the write system call should retrun success.

On Wed, Aug 26, 2015 at 4:39 AM, Heinrich Schuchardt <xypron.glpk@....de> wrote:
>
>
> On 24.08.2015 10:56, Sean Fu wrote:
>> when the input argument "count" including the terminating byte "\0",
>> The write system call return EINVAL on proc file.
>> But it return success on regular file.
>>
>> E.g. Writting two bytes ("1\0") to "/proc/sys/net/ipv4/conf/eth0/rp_filter".
>> write(fd, "1\0", 2) return EINVAL.
>
> Reading through kernel/sysctl.c it looks like you are allowing
> "1\01" to be used to pass two integers or two longs.
> This is not what you describe as target of your patch.
1st             2nd             3rd             Change?
'0'~'9'         '\0'               non '\0'        No

proc_get_long-->simple_strtoul-->simple_strtoull-->_parse_integer
__do_proc_dointvec
...
vleft = table->maxlen / sizeof(*i);               //vleft = 1 if it is
integer type proc file
...
for (; left && vleft--; i++, first=0) {              //In last loop
left=2, but vleft = 0 cause exit.

>
> Parameter tr returned from proc_get_long should be checked in
> __do_proc_dointvec,
> __do_proc_doulongvec_minmax.
>
> Best regards
>
> Heinrich Schuchardt
>
>>
>> Signed-off-by: Sean Fu <fxinrong@...il.com>
>> ---
>>  kernel/sysctl.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
>> index 19b62b5..c2b0594 100644
>> --- a/kernel/sysctl.c
>> +++ b/kernel/sysctl.c
>> @@ -2004,7 +2004,7 @@ static int do_proc_dointvec_conv(bool *negp,
>> unsigned long *lvalp,
>>         return 0;
>>  }
>>
>> -static const char proc_wspace_sep[] = { ' ', '\t', '\n' };
>> +static const char proc_wspace_sep[] = { ' ', '\t', '\n', '\0' };
>>
>>  static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
>>                   int write, void __user *buffer,
>>
All possibilities are listed.

1 byte data(count = 1)

1st             Change?
'\0'              NO
non '\0'        NO

2 bytes data(count = 2)

1st                     2nd             Change?
'0'~'9'                  '\0'              Yes
'0'~'9'                  non '\0'        No
non number        '\0'               No
non number        non '\0'         No

3 bytes data(count = 3)

1st             2nd             3rd             Change?
'0'~'9'         '0'~'9'            '\0'             Yes
'0'~'9'         '0'~'9'            non '\0'       No
'0'~'9'         non '0'~'9'      '\0'             No
'0'~'9'         non '0'~'9'      non '\0'       No
'0'~'9'         '\0'                '\0'             No
'0'~'9'         '\0'               non '\0'        No
non '0'~'9'   Any             Any            No

More 3 bytes data(count > 3)
Number sequence         the next character      Change?
"x1...xn"                      '\0'                             Yes
"x1...xn"                      non '\0'                       No
Non "x1...xn"               '\0'                              No
Non "x1...xn"               non '\0'                        No

"x1...xn" is a string whose all members are "0"~'9'
Non "x1...xn" means the first character is not "0"~'9'.

"Yes" means the behavior is changed.
"No" means the behavior is Not changed.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ