Re: Bogus buffer length check in linux-2.6.11 read()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Dumazet <dada1@cosmosbay.com>
To: linux-os@analogic.com
Cc: Ian Campbell <ijc@hellion.org.uk>, Tom Felker <tfelker2@uiuc.edu>,
	Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: Bogus buffer length check in linux-2.6.11  read()
Date: Wed, 16 Mar 2005 15:42:39 +0100	[thread overview]
Message-ID: <423845DF.7080701@cosmosbay.com> (raw)
In-Reply-To: <Pine.LNX.4.61.0503160848420.16718@chaos.analogic.com>

linux-os wrote:

> 
> 
> I don't know how much more precise I could have been. I show the
> code that will cause the observed condition. I explain that this
> condition is new, that it doesn't correspond to the previous
> behavior.
> 
> Never before was some buffer checked for length before some data
> was written to it. The EFAULT is supposed to occur IFF a write
> attempt occurs outside the caller's accessible address space.
> This used to be done by hardware during the write to user-space.
> This had zero impact upon performance. Now there is some
> software added that adds CPU cycles, subtracts performance,
> and cannot possibly do anything useful.
> 
> Also, the code was written to show the problem. The code
> is not designed to be an example of good coding practice.
> 
> The actual problem observed with the new kernel was
> when some legacy code used gets() instead of fgets().
> The call returned immediately with an EFAULT because
> the 'C' runtime library put some value that the kernel
> didn't 'like' (4096 bytes) in the subsequent read.


If you use a buggy program, that had a hidden bug now exposed because 
of different kernel checks, dont complain, and use your brain.

If you do

$ export VAR1=" A very very very very long chain just to be sure my 
environnement (which is placed at the top of the stack at exec() time) 
will use at least 4 Kb  : then my litle buggy program will run if I 
type few chars but destroy my stack if I type a long string or if I 
use : cat longfile | ./xxx : So I wont complain again on lkml that I 
am sooooo lazy. Oh what could I type now, I'm tired, maybe I can copy 
this string to others variables. Yes... sure...."
$ export VAR2=$VAR1
$ export VAR3=$VAR1
$ export VAR4=$VAR1
$ export VAR5=$VAR1
Then check your env size is large enough
$ env|wc -c
    4508
$ ./xxx
./xxx 2>/dev/null

Apparently the kernel thinks 4096 is a good length!

So what ? Your program works well now, on a linux-2.6.11 typical 
machine. Ready to buffer overflow again.

Maybe you can pay me $1000 :)

Eric Dumazet
> 
> This is code for which there are no sources available
> and it is required to be used, cannot be replaced,
> cannot be thrown away and costs about US$ 10,000
> from a company that is no longer in business.
> 
> Somebody's arbitrary and capricious addition of spook
> code destroyed an application's functionality.
> 
> Cheers,
> Dick Johnson

next prev parent reply	other threads:[~2005-03-16 14:46 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-15 17:59 Bogus buffer length check in linux-2.6.11 read() linux-os
2005-03-16  2:56 ` Tom Felker
2005-03-16 12:29   ` linux-os
2005-03-16 13:30     ` Ian Campbell
2005-03-16 14:11       ` linux-os
2005-03-16 14:42         ` Eric Dumazet [this message]
2005-03-16 14:51           ` linux-os
     [not found] <3IoOm-5M2-49@gated-at.bofh.it>
2005-03-15 23:59 ` Robert Hancock
2005-03-16 12:23   ` linux-os
     [not found] ` <3IwVv-4kD-17@gated-at.bofh.it>
     [not found]   ` <3IFYO-3eg-37@gated-at.bofh.it>
     [not found]     ` <3IGUS-46t-27@gated-at.bofh.it>
     [not found]       ` <3IHxD-4Gb-5@gated-at.bofh.it>
2005-03-16 14:37         ` Robert Hancock

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=423845DF.7080701@cosmosbay.com \
    --to=dada1@cosmosbay.com \
    --cc=ijc@hellion.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-os@analogic.com \
    --cc=tfelker2@uiuc.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.