From: Frederik Deweerdt <deweerdt@free.fr>
To: Amnon Shiloh <amnons@cs.huji.ac.il>
Cc: linux-kernel@vger.kernel.org, ebiederm@xmission.com,
akpm@osdl.org, gregkh@suse.de
Subject: [2.6.18 patch] fix mem_write return value (was: Re: bug report: mem_write)
Date: Thu, 24 Aug 2006 14:00:01 +0000 [thread overview]
Message-ID: <20060824140001.GE1543@slug> (raw)
In-Reply-To: <E1GGAWv-0001uP-Mu@lucifer.cs.huji.ac.il>
On Thu, Aug 24, 2006 at 11:25:37AM +0300, Amnon Shiloh wrote:
> Hi,
>
> Alright, I know that "mem_write" (fs/proc/base.c) is a "security hazard",
> but I need to use it anyway (as super-user only), and find it broken,
> somewhere between Linux-2.6.17 and Linux-2.6.18-rc4.
>
> The point is that in the beginning of the routine, "copied" is set to 0,
> but it is no good because in lines 805 and 812 it is set to other values.
> Finally, the routine returns as if it copied 12 (=ENOMEM) bytes less than
> it actually did.
True, it looks like the faulty commit is: de7587343bfebc186995ad294e3de0da382eb9bc
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=99f895518368252ba862cc15ce4eb98ebbe1bec6;hp=8578cea7509cbdec25b31d08b48a92fcc3b1a9e3
The attached patch should fix it. Maybe that should go to 2.6.18.
Thanks for the bug report,
Frederik
Signed-off-by: Frederik Deweerdt <frederik.deweerdt@gmail.com>
--- fs/proc/base.c.orig 2006-08-24 13:57:22.000000000 +0200
+++ fs/proc/base.c 2006-08-24 13:57:10.000000000 +0200
@@ -797,7 +797,7 @@
static ssize_t mem_write(struct file * file, const char * buf,
size_t count, loff_t *ppos)
{
- int copied = 0;
+ int copied;
char *page;
struct task_struct *task = get_proc_task(file->f_dentry->d_inode);
unsigned long dst = *ppos;
@@ -814,6 +814,7 @@
if (!page)
goto out;
+ copied = 0;
while (count > 0) {
int this_len, retval;
next prev parent reply other threads:[~2006-08-24 12:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-24 8:25 bug report: mem_write Amnon Shiloh
2006-08-24 10:35 ` Gerard J Snitselaar
2006-08-24 14:00 ` Frederik Deweerdt [this message]
2006-08-24 16:33 ` [2.6.18 patch] fix mem_write return value (was: Re: bug report: mem_write) Eric W. Biederman
2006-08-24 22:07 ` Frederik Deweerdt
2006-08-25 1:05 ` Amnon Shiloh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060824140001.GE1543@slug \
--to=deweerdt@free.fr \
--cc=akpm@osdl.org \
--cc=amnons@cs.huji.ac.il \
--cc=ebiederm@xmission.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.