Re: 2.6.13: loop ioctl crashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 9 Sep 2005, Richard B. Johnson wrote:

> On Fri, 9 Sep 2005, Ian Collier wrote:
>
>> On Fri, Sep 09, 2005 at 08:32:10AM -0400, linux-os (Dick Johnson) wrote:
>>> I guess you are trying to do a copy_from_user() with a spin-lock
>>> being held or the interrupts otherwise disabled. You can hold
>>> a semaphore, to prevent somebody else from interfering with
>>> you, but you cannot hold a spin-lock during copy/to/from/user().
>>
>> Well, I didn't write the code (it's right there in drivers/block/loop.c
>> in 2.6.13) and I can't see where there's a spin-lock.  In fact it does
>> use a semaphore.
>>
>> imc
>> -
>
> Try to see if it is really the loop device or something that is
> interfacing with it. Here I copy the contents of a DOS floppy
> to a file, then mount the file through the loop device:
>
> Script started on Fri 09 Sep 2005 10:17:27 AM EDT
> [root@chaos driver]# cp /dev/fd0 image
> [root@chaos driver]# ls -la image
> -rw-r-----  1 root root 1474560 Sep  9 10:18 image
> [root@chaos driver]# mount -o loop image /mnt
> [root@chaos driver]# ls -la /mnt
> total 894
> drwxr-xr-x   2 root root   7168 Dec 31  1969 .
> drwxr-xr-x  26 root root   4096 Sep  9 08:41 ..
> -rwxr-xr-x   1 root root    170 Apr 10  2003 autoexec.bat
> -rwxr-xr-x   1 root root  86413 Jul 30  2002 command.com
> -rwxr-xr-x   1 root root   2882 Apr  9  2003 config.sys
> -rwxr-xr-x   1 root root  16967 Mar 27  2003 err_lev.bat
> -rwxr-xr-x   1 root root   5874 Jan 21  2002 fdxxms.sys
> -rwxr-xr-x   1 root root   3173 Mar 27  2003 findramd.exe
> -rwxr-xr-x   1 root root  41293 Aug  4  2002 kernel.sys
> -rwxr-xr-x   1 root root 719592 Jun 28  2004 sw.exe
> -rwxr-xr-x   1 root root  25084 Sep 28  2000 tdsk.exe
> [root@chaos driver]# umount /mnt
> [root@chaos driver]# exit
>
> Script done on Fri 09 Sep 2005 10:18:55 AM EDT
>
>

Ignore what I wrote following the stuff above:

The code wasn't broken after all. Function fget() didn't
dereference a pointer. It just got a number as 'arg' so
it didn't have to copy to/from anything.

The stuff that was dereferenced did use the correct
copy/to/from() code.

>
> This seems to work okay in 2.6.13, however I don't think it
> __should__ work because in lo_ioctl(), the following
> functions reference 'arg' without using copy/to/from/user() or
> put/get/user():
> 	loop_set_fd (vi fget()),
> 	loop_change_fd (via fget()),
> 	loop_get_status (via memset() and others),
> 	loop_get_status_old,
> 	loop_set_status64,
> 	loop_get_status64,
>        ... etc.
>
> Basically, anything that uses ioctl() on the loop device may find
> that they crash the system. This code is broken.
>
> Anton Altaparmakov last 'touched' that code in Feb 2005. Maybe
> he can fix the ioctl procedure to use the correct interface to
> user-land????

Cheers,
Dick Johnson
Penguin : Linux version 2.6.13 on an i686 machine (5589.53 BogoMips).
Warning : 98.36% of all statistics are fiction.
.
I apologize for the following. I tried to kill it with the above dot :

****************************************************************
The information transmitted in this message is confidential and may be privileged.  Any review, retransmission, dissemination, or other use of this information by persons or entities other than the intended recipient is prohibited.  If you are not the intended recipient, please notify Analogic Corporation immediately - by replying to this message or by sending an email to [email protected] - and destroy all copies of this information, including any attachments, without reading or disclosing them.

Thank you.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux