[PATCH] undo do_readv_writev() behavior change

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bugme bug 4326: http://bugme.osdl.org/show_bug.cgi?id=4326 reports:

> Problem Description: 
> On executing the systemcall readv with Bad argument
> (iovec->len == -1) it gives out error EFAULT instead of EINVAL 

This is not a serious bug, but is a slight behavior change.  This changeset:

	http://linus.bkbits.net:8080/linux-2.5/cset@4202616998ECZp5x5NfCDbX9JcEG7g?nav=index.html|src/|src/fs|related/fs/read_write.c

does an access_ok() check before the 'len < 0' check, in
do_readv_writev() so it now does an EFAULT instead of EVINAL for the -1
length argument. 

>  	for (seg = 0; seg < nr_segs; seg++) {
...
> +		if (unlikely(!access_ok(vrfy_dir(type), buf, len)))
> +			goto Efault;
>  		if (len < 0)	/* size_t not fitting an ssize_t .. */
>  			goto out;
>  		tot_len += len;

The attached path moves the access check to after the len check, to make
it behave a little more like it did before.

-- Dave

--- linux-2.6/fs/read_write.c.orig	2005-03-31 14:02:03.940333696 -0800
+++ linux-2.6/fs/read_write.c	2005-03-31 14:03:24.651063800 -0800
@@ -467,10 +467,10 @@ static ssize_t do_readv_writev(int type,
 		void __user *buf = iov[seg].iov_base;
 		ssize_t len = (ssize_t)iov[seg].iov_len;
 
-		if (unlikely(!access_ok(vrfy_dir(type), buf, len)))
-			goto Efault;
 		if (len < 0)	/* size_t not fitting an ssize_t .. */
 			goto out;
+		if (unlikely(!access_ok(vrfy_dir(type), buf, len)))
+			goto Efault;
 		tot_len += len;
 		if ((ssize_t)tot_len < 0) /* maths overflow on the ssize_t */
 			goto out;

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux