| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <xa1td1omf0od.fsf@mina86.com>
Date: Mon, 16 May 2016 18:05:38 +0200
From: Michal Nazarewicz <mina86@...a86.com>
To: "Du\, Changbin" <changbin.du@...el.com>,
Felipe Balbi <felipe.balbi@...ux.intel.com>,
Alan Stern <stern@...land.harvard.edu>
Cc: Al Viro <viro@...iv.linux.org.uk>,
"gregkh\@linuxfoundation.org" <gregkh@...uxfoundation.org>,
"rui.silva\@linaro.org" <rui.silva@...aro.org>,
"k.opasiak\@samsung.com" <k.opasiak@...sung.com>,
"lars\@metafoo.de" <lars@...afoo.de>,
"linux-usb\@vger.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] usb: gadget: f_fs: report error if excess data received
So I’ve been looking at AIO handling in f_fs and either I’m stupid or
the code is broken. Here’s part of ffs_user_copy_worker:
int ret = io_data->req->status ? io_data->req->status :
io_data->req->actual;
if (io_data->read && ret > 0) {
use_mm(io_data->mm);
ret = copy_to_iter(io_data->buf, ret, &io_data->data);
if (iov_iter_count(&io_data->data))
ret = -EFAULT;
unuse_mm(io_data->mm);
}
First of all, shouldn’t the copy_to_iter invocation be:
if (copy_to_iter(io_data->buf, ret, &io_data->data))
ret = -EFAULT;
Second of all, if the request reads fewer bytes than user requested,
iov_iter_count(…) will be non-zero (namely it will be the difference
between user’s buffer size and data read). This should not result in
EFAULT though.
So, am I going crazy? Or does this need to be fixed as well?
--
Best regards
ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ
«If at first you don’t succeed, give up skydiving»
Powered by blists - more mailing lists