From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Vegard Nossum <vegard.nossum@gmail.com>
Cc: Tom Tucker <tom@opengridcomputing.com>,
Neil Brown <neilb@suse.de>, Chuck Lever <chuck.lever@oracle.com>,
Greg Banks <gnb@sgi.com>,
"J. Bruce Fields" <bfields@citi.umich.edu>,
linux-kernel@vger.kernel.org
Subject: Re: buffer overflow in /proc/sys/sunrpc/transports
Date: Sun, 31 Aug 2008 00:15:36 +0400 [thread overview]
Message-ID: <20080830201536.GA3659@lenovo> (raw)
In-Reply-To: <19f34abd0808301313v640a47fbl7bc61fd35e7cf4d5@mail.gmail.com>
[Vegard Nossum - Sat, Aug 30, 2008 at 10:13:23PM +0200]
| On Sat, Aug 30, 2008 at 10:04 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote:
| > [Vegard Nossum - Sat, Aug 30, 2008 at 09:59:38PM +0200]
| > | On Sat, Aug 30, 2008 at 9:56 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote:
| > | > | BTW, look at this:
| > | > |
| > | > | $ od -A x -t x1z /proc/sys/sunrpc/transports
| > | > | 000000 74 63 70 20 31 30 34 38 35 37 36 0a 75 64 70 20 >tcp 1048576.udp <
| > | > | 000010 33 32 37 36 38 0a 00 00 00 00 00 00 00 00 00 00 >32768...........<
| > | > | 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >................<
| > | > | *
| > | > | 0003e0 00 00 00 00 00 00 00 00 00 00 >..........<
| > | > | 0003ea
| > | > |
| > | > | ...and:
| > | > |
| > | > | $ strace -e trace=read cat /proc/sys/sunrpc/transports > /dev/null
| > | > | read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@G\316E4\0\0\0"...,
| > | > | 512) = 512
| > | > | read(3, "tcp 1048576\nudp 32768\n\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4074
| > | > | read(3, "", 4096) = 0
| > | > |
| > | > | ...why does it have a huge return value? The output is only about 40
| > | > | bytes... why add all the \0? Would your patch also fix this?
| > | >
| > | > I think it's from strace side - it pass 4096 zero'ed buffer.
| > |
| > | "cat" passed buffer of size 4096, yes. But read() still returned 4074.
| > | It should have returned 38 or so.
| > |
| > | > At least I don't see additional issues from kernel side in buffer
| > | > filling - except from svc_print_xprts() which walk over list.
| > | > But I think sunpc guys should know details :)
| > | > Will send short-fix patch soon :)
| > |
| > | It looks like it's returning (sizeof(buffer) - x) where it really
| > | should be returning x. Maybe it's this one that should be different?
| > |
| > | *lenp -= len;
| > |
| >
| > yes, but this is just a side effect, if we fix main error - it should
| > resolve this problem too. Did you try the fix I sent a few msgs ago?
| > (I don't have sunrpc on my machine)
|
| Sorry, I did it now :-)
|
| $ uname -a
| Linux grianne 2.6.27-rc5-00006-gbef69ea-dirty #4 SMP PREEMPT Sat
| Aug 30 22:07:18 CEST 2008 i686 i686 i386 GNU/Linux
|
| $ strace -e trace=read cat /proc/sys/sunrpc/transports > /dev/null
| read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320
| \265\0004\0\0\0"..., 512) = 512
| read(3, "tcp 1048576\nudp 32768\n\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4074
| read(3, "", 4096) = 0
|
| So that problem seems to remain.
thanks - will check... (if not fall into sleep :)
|
|
| Vegard
|
| --
| "The animistic metaphor of the bug that maliciously sneaked in while
| the programmer was not looking is intellectually dishonest as it
| disguises that the error is the programmer's own creation."
| -- E. W. Dijkstra, EWD1036
|
- Cyrill -
next prev parent reply other threads:[~2008-08-30 20:15 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-30 18:44 buffer overflow in /proc/sys/sunrpc/transports Vegard Nossum
2008-08-30 19:06 ` Cyrill Gorcunov
2008-08-30 19:15 ` Vegard Nossum
2008-08-30 19:21 ` Cyrill Gorcunov
2008-08-30 19:23 ` Cyrill Gorcunov
2008-08-30 19:34 ` Vegard Nossum
2008-08-30 19:44 ` Cyrill Gorcunov
2008-08-30 19:42 ` Vegard Nossum
2008-08-30 19:45 ` Cyrill Gorcunov
2008-08-30 19:56 ` Cyrill Gorcunov
2008-08-30 19:59 ` Vegard Nossum
2008-08-30 20:04 ` Cyrill Gorcunov
2008-08-30 20:13 ` Vegard Nossum
2008-08-30 20:15 ` Cyrill Gorcunov [this message]
2008-08-30 20:29 ` Cyrill Gorcunov
2008-08-30 22:55 ` David Wagner
2008-08-31 8:37 ` Cyrill Gorcunov
2008-08-31 10:30 ` Cyrill Gorcunov
2008-08-31 10:37 ` Cyrill Gorcunov
2008-08-30 20:20 ` David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080830201536.GA3659@lenovo \
--to=gorcunov@gmail.com \
--cc=bfields@citi.umich.edu \
--cc=chuck.lever@oracle.com \
--cc=gnb@sgi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.de \
--cc=tom@opengridcomputing.com \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.