From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Vegard Nossum" Subject: Re: v2.6.28-rc1: readlink /proc/*/exe returns uninitialized data to userspace Date: Tue, 11 Nov 2008 23:53:56 +0100 Message-ID: <19f34abd0811111453q51412aaas3cd01cc2e8398cd7@mail.gmail.com> References: <19f34abd0810251014s7968557br38e43aa0b9cdcf09@mail.gmail.com> <200810252241.53601.rjw@sisk.pl> <19f34abd0810261408w61b1e2dbvb9a0e16ce5a10022@mail.gmail.com> <19f34abd0811040139t8334502i7a5d8501c5fe95ac@mail.gmail.com> <20081104151234.GH28946@ZenIV.linux.org.uk> <20081106100410.GN4890@elte.hu> <20081107190544.GA1551@kroah.com> <20081107231205.GA2528@x200.localdomain> <20081111141412.b52469d2.akpm@linux-foundation.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: "Alexey Dobriyan" , greg@kroah.com, mingo@elte.hu, viro@zeniv.linux.org.uk, ebiederm@xmission.com, Yoshiya.Koyama@hp.com, rjw@sisk.pl, penberg@cs.helsinki.fi, linux-kernel@vger.kernel.org, kay.sievers@vrfy.org, linux-fsdevel@vger.kernel.org To: "Andrew Morton" Return-path: Received: from rv-out-0506.google.com ([209.85.198.234]:44285 "EHLO rv-out-0506.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751122AbYKKWx5 (ORCPT ); Tue, 11 Nov 2008 17:53:57 -0500 Received: by rv-out-0506.google.com with SMTP id k40so115583rvb.1 for ; Tue, 11 Nov 2008 14:53:56 -0800 (PST) In-Reply-To: <20081111141412.b52469d2.akpm@linux-foundation.org> Content-Disposition: inline Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Nov 11, 2008 at 11:14 PM, Andrew Morton wrote: > I queued the below for 2.6.28 inclusion and tagged for -stable > backporting. > > > > From: Al Viro > > Vegard sayeth: > > When I run readlink on the /proc/*/exe-file for udevd, the kernel > returns some unitialized data to userspace: > > # strace -e trace=readlink readlink /proc/4762/exe > readlink("/proc/4762/exe", "/sbin/udevd", 1025) = 30 > > You can see it because the kernel thinks that the string is 30 bytes > long, but in fact it is only 12 (including the '\0'). > > If we explicitly clear the buffer before calling readlink, we can also > see that some garbage has been filled in there, after the string: > > # ./readlink /proc/4762/exe > readlink(/proc/4762/exe) = 30 > 2f7362696e2f7564657664000000ffffffad4effffffadffffffdeffffffffffffffff202864656c657465642900000000000000000000000000000 > > (Output is from following simple program:) > > #include > #include > #include > > int main(int argc, char *argv[]) > { > char buf[1024]; Should probably have been unsigned char. > int i; > ssize_t n; > > memset(buf, 0, sizeof(buf)); > n = readlink(argv[1], buf, sizeof(buf)); > > printf("readlink(%s) = %d\n", argv[1], n); > > for (i = 0; i < sizeof(buf); ++i) > printf("%02x", buf[i]); Or maybe it was the wrong format string. Negative numbers become very long (with many extra "ff"s) in output. I guess it doesn't really matter, though... That said, Alexey also had an error in HIS testcase: On Tue, Nov 4, 2008 at 11:34 AM, Alexey Dobriyan wrote: > #include > #include > #include > #include > #include > #include > > int main(void) > { > int fd, fd1; > char buf[64], buf1[64], img[42000]; > ssize_t len; > > fd = open("/proc/self/exe", O_RDONLY); > > readlink("/proc/self/exe", buf, sizeof(buf)); > strcpy(buf1, buf); > strcat(buf1, ".xxx"); > unlink(buf1); > fd1 = open(buf1, O_WRONLY|O_CREAT); Without the third argument to open with O_CREAT, file permissions may be very strange :-) Is this small program suitable for inclusion in LTP, maybe? We can verify that kernel does the right thing by testing readlink(buf) == strlen(buf). But thanks for the fix and attribution! Vegard -- "The animistic metaphor of the bug that maliciously sneaked in while the programmer was not looking is intellectually dishonest as it disguises that the error is the programmer's own creation." -- E. W. Dijkstra, EWD1036