From: "Zack Weinberg" <zackw@Stanford.EDU>
To: "David S. Miller" <davem@redhat.com>
Cc: linux-kernel@vger.kernel.org, tridge@samba.org
Subject: Re: 2.2 PATCH: check return from copy_*_user in fs/pipe.c
Date: Tue, 19 Jun 2001 20:59:24 -0700 [thread overview]
Message-ID: <20010619205924.H5679@stanford.edu> (raw)
In-Reply-To: <15152.4073.812901.656882@pizda.ninka.net>
On Tue, Jun 19, 2001 at 07:52:25PM -0700, David S. Miller wrote:
>
> Zack Weinberg writes:
> > It *has* been fixed in 2.4, though. Some sort of compatibility issue?
>
> No, some kind of "it doesn't matter" issue.
I can demonstrate user code that behaves differently under 2.2 than
2.4. The example I have (appended) doesn't suffer data loss, but I
bet I could make one that did.
I don't think it's a security hole, if that's what you mean.
zw
/* Pointer validation hack. Expected output is
* |
* |
* |{null ptr}
* |{unmapped: 0xAFAFAFAF}
* |{unmapped: 0xA5A5A5A5}
* |{unmapped: 0xCDEFABCD}
* |{unaligned: 0xBFFFFB2B}
*
* Under Linux 2.2, will print a blank line instead of each
* {unmapped: 0x...}.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
static const char *
validate_ptr(void *p, size_t align)
{
static int pipes[2];
static int setup = 0;
char dummy;
if(!setup)
{
if(pipe(pipes))
abort();
setup = 1;
}
if(p == NULL)
return "{null ptr}";
if((unsigned long)p & (align - 1))
return "{unaligned: 0x%lX}";
if(write(pipes[1], p, 1) != 1)
return "{unmapped: 0x%lX}";
/* clear out the byte we just wrote down the pipe */
read(pipes[0], &dummy, 1);
return 0;
}
int
main(void)
{
char blah = 'x';
char *a, *b, *c, *d, *e, *f;
const char *msg;
a = &blah;
b = malloc(1);
c = (char *) 0;
d = (char *) 0xafafafaf;
e = (char *) 0xa5a5a5a5;
f = (char *) 0xcdefabcd;
#define TEST(x, y) \
if((msg = validate_ptr(x, y))) printf(msg, (unsigned long)x); \
putchar('\n');
TEST(a, 1);
TEST(b, 4);
TEST(c, 1);
TEST(d, 1);
TEST(e, 1);
TEST(f, 1);
TEST(a, 2);
return 0;
}
next prev parent reply other threads:[~2001-06-20 3:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-06-20 2:08 2.2 PATCH: check return from copy_*_user in fs/pipe.c Zack Weinberg
2001-06-20 2:16 ` David S. Miller
2001-06-20 2:48 ` Zack Weinberg
2001-06-20 2:52 ` David S. Miller
2001-06-20 3:59 ` Zack Weinberg [this message]
2001-06-20 4:01 ` David S. Miller
2001-06-20 5:14 ` Linus Torvalds
2001-06-20 4:33 ` Andrew Tridgell
2001-06-20 15:52 ` Hugh Dickins
-- strict thread matches above, loose matches on Subject: below --
2001-06-21 3:26 Zack Weinberg
2001-06-21 3:44 ` David S. Miller
2001-06-21 6:10 ` Zack Weinberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20010619205924.H5679@stanford.edu \
--to=zackw@stanford.edu \
--cc=davem@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tridge@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.