[PATCH] evdev: fix evdev_write return value on partial writes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] evdev: fix evdev_write return value on partial writes
@ 2011-01-27  9:42 Peter Korsgaard
  2011-01-27  9:46 ` Baruch Siach
  0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2011-01-27  9:42 UTC (permalink / raw)
  To: dmitry.torokhov, linux-input, baruch; +Cc: Peter Korsgaard

As was recently brought up on the busybox list
(http://lists.busybox.net/pipermail/busybox/2011-January/074565.html),
evdev_write doesn't properly check the count argument, which will
lead to a return value > count on partial writes if the remaining bytes
are accessible - Causing userspace confusion.

Fix it by only handling each full input_event structure, similar to how
it is done in evdev_read.

Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
---
 drivers/input/evdev.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index c8471a2..61fa24e 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -330,7 +330,7 @@ static ssize_t evdev_write(struct file *file, const char __user *buffer,
 		goto out;
 	}
 
-	while (retval < count) {
+	while ((retval + input_event_size()) <= count) {
 
 		if (input_event_from_user(buffer + retval, &event)) {
 			retval = -EFAULT;
-- 
1.7.2.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] evdev: fix evdev_write return value on partial writes
  2011-01-27  9:42 [PATCH] evdev: fix evdev_write return value on partial writes Peter Korsgaard
@ 2011-01-27  9:46 ` Baruch Siach
  2011-01-27 10:05   ` Peter Korsgaard
  0 siblings, 1 reply; 3+ messages in thread
From: Baruch Siach @ 2011-01-27  9:46 UTC (permalink / raw)
  To: Peter Korsgaard; +Cc: dmitry.torokhov, linux-input

Hi Peter,

On Thu, Jan 27, 2011 at 10:42:00AM +0100, Peter Korsgaard wrote:
> As was recently brought up on the busybox list
> (http://lists.busybox.net/pipermail/busybox/2011-January/074565.html),
> evdev_write doesn't properly check the count argument, which will
> lead to a return value > count on partial writes if the remaining bytes
> are accessible - Causing userspace confusion.
> 
> Fix it by only handling each full input_event structure, similar to how
> it is done in evdev_read.
> 

A Reporte-by here would be nice.

> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>

As I said on the Busybox list, applying this results in an endless

write(1, "test\n", 5)                   = 0
write(1, "test\n", 5)                   = 0
write(1, "test\n", 5)                   = 0
write(1, "test\n", 5)                   = 0
write(1, "test\n", 5)                   = 0
write(1, "test\n", 5)                   = 0
write(1, "test\n", 5)                   = 0

from the command

echo test > /dev/input/event0

write() should probably return -EINVAL here.

baruch

> ---
>  drivers/input/evdev.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
> index c8471a2..61fa24e 100644
> --- a/drivers/input/evdev.c
> +++ b/drivers/input/evdev.c
> @@ -330,7 +330,7 @@ static ssize_t evdev_write(struct file *file, const char __user *buffer,
>  		goto out;
>  	}
>  
> -	while (retval < count) {
> +	while ((retval + input_event_size()) <= count) {
>  
>  		if (input_event_from_user(buffer + retval, &event)) {
>  			retval = -EFAULT;
> -- 
> 1.7.2.3
> 

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] evdev: fix evdev_write return value on partial writes
  2011-01-27  9:46 ` Baruch Siach
@ 2011-01-27 10:05   ` Peter Korsgaard
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2011-01-27 10:05 UTC (permalink / raw)
  To: Baruch Siach; +Cc: dmitry.torokhov, linux-input

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 >> Fix it by only handling each full input_event structure, similar to
 >> how it is done in evdev_read.

 Baruch> A Reporte-by here would be nice.

Sorry, forgot. Dmitry, could you add it when you commit the patch.

 >> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>

 Baruch> As I said on the Busybox list, applying this results in an endless

 Baruch> write(1, "test\n", 5)                   = 0
 Baruch> write(1, "test\n", 5)                   = 0
 Baruch> write(1, "test\n", 5)                   = 0
 Baruch> write(1, "test\n", 5)                   = 0
 Baruch> write(1, "test\n", 5)                   = 0
 Baruch> write(1, "test\n", 5)                   = 0
 Baruch> write(1, "test\n", 5)                   = 0

 Baruch> from the command

 Baruch> echo test > /dev/input/event0

 Baruch> write() should probably return -EINVAL here.

Indeed, like we do in evdev_read. Updated patch sent.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-01-27 10:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-27  9:42 [PATCH] evdev: fix evdev_write return value on partial writes Peter Korsgaard
2011-01-27  9:46 ` Baruch Siach
2011-01-27 10:05   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.