Re: Bogus buffer length check in linux-2.6.11 read()

From: linux-os
Date: Wed Mar 16 2005 - 07:27:53 EST

Next message: Andrew Morton: "Re: OOM problems with 2.6.11-rc4"
Previous message: Andrew Morton: "Re: OOM problems with 2.6.11-rc4"
Next in thread: linux-os: "Re: Bogus buffer length check in linux-2.6.11 read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 15 Mar 2005, Robert Hancock wrote:

linux-os wrote:

The attached file shows that the kernel thinks it's doing
something helpful by checking the length of the input
buffer for a read(). It will return "Bad Address" until
the length is 1632 bytes. Apparently the kernel thinks
1632 is a good length!

Likely because only 1632 bytes of memory is accessible after the start of the buf buffer, and trying to read in more than that results in copy_to_user failing to write some data.

There was NO DATA read or written! The read() call returns immediately
without reading anything. Look at the code, assume nothing. This
is a blocking read from standard-input.

Did anybody consider the overhead necessary to do this
and the fact that the kernel has no way of knowing if
the pointer to the buffer is valid until it actually
does the write. What was wrong with copy_to_user()?
Why is there the additional bogus check?

What additional check?

Somebody added some very dumb check of the input value
of a read() length that occurs before anything is
actually read.

Previously, a read(), which is a kernel write to user-data
space, would seg-fault if the read exceeded the data-space
that had been mapped. It is done by the CPU, it generates
a trap. The performance cost, when done by the CPU, if
the data doesn't exceed bounds, is zero. Now, there is
a beginning check (a wrong check BTW), in software,
before the data is even obtained from the device.

--
Robert Hancock Saskatoon, SK, Canada
To email, remove "nospam" from hancockr@xxxxxxxxxxxxx
Home Page: http://www.roberthancock.com/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Cheers,
Dick Johnson
Penguin : Linux version 2.6.11 on an i686 machine (5537.79 BogoMips).
Notice : All mail here is now cached for review by Dictator Bush.
98.36% of all statistics are fiction.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: OOM problems with 2.6.11-rc4"
Previous message: Andrew Morton: "Re: OOM problems with 2.6.11-rc4"
Next in thread: linux-os: "Re: Bogus buffer length check in linux-2.6.11 read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]