udev-146: wrong parameter size on ioctl FIONREAD

udev-146: wrong parameter size on ioctl FIONREAD

[Matthias Schwarzott]

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]

Hi there!

Another interesting gentoo bug: It is about ioctl failures on amd64: 
http://bugs.gentoo.org/show_bug.cgi?id=286041

A bad parameter type to an ioctl() call causes udev-146 to generate "error
getting buffer for inotify" messages in syslog.  The offending code is 
roughly:

    ssize_t nbytes, pos;
    // ...
    ioctl(fd, FIONREAD, &nbytes);

where ssize_t is 64 bits on amd64, but the kernel code for FIONREAD (at least
through gentoo-sources-2.6.31) uses type int:

    p = (void __user *) arg;
    switch (cmd) {
    case FIONREAD:
        // ...
        ret = put_user(send_len, (int __user *) p);

so the upper 32 bits of "nbytes" are left uninitialized, and the subsequent
malloc(nbytes) fails unless those 32 bits happen to be zero (or the system has
a LOT of memory).

Patch will follow.

Comment  #1
I'm assuming the use of int instead of [s]size_t in the kernel is intentional,
since all the FIONREAD handlers seem to use int.

Patch submitted by Andrew Church <gentoo4@achurch.org>

Regards
Matthias

[-- Attachment #2: udev-146-ioctl-parameter.patch --]
[-- Type: text/x-diff, Size: 292 bytes --]

--- udev-146-orig/udev/udevd.c	2009-08-09 05:59:33 +0900
+++ udev-146/udev/udevd.c	2009-09-23 12:23:07 +0900
@@ -660,7 +660,7 @@
 /* read inotify messages */
 static int handle_inotify(struct udev *udev)
 {
-	ssize_t nbytes, pos;
+	int nbytes, pos;
 	char *buf;
 	struct inotify_event *ev;
 

Re: udev-146: wrong parameter size on ioctl FIONREAD

[Kay Sievers]

On Wed, Sep 23, 2009 at 23:11, Matthias Schwarzott <zzam@gentoo.org> wrote:
> Hi there!
>
> Another interesting gentoo bug: It is about ioctl failures on amd64:
> http://bugs.gentoo.org/show_bug.cgi?id(6041

Applied.

Thanks,
Kay