From: wenyang.linux@foxmail.com
To: Christian Brauner <brauner@kernel.org>,
Jens Axboe <axboe@kernel.dk>,
Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Wen Yang <wenyang.linux@foxmail.com>, Jan Kara <jack@suse.cz>,
David Woodhouse <dwmw@amazon.co.uk>,
Matthew Wilcox <willy@infradead.org>,
Eric Biggers <ebiggers@google.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] eventfd: strictly check the count parameter of eventfd_write to avoid inputting illegal strings
Date: Wed, 7 Feb 2024 00:35:18 +0800 [thread overview]
Message-ID: <tencent_10AAA44731FFFA493F9F5501521F07DD4D0A@qq.com> (raw)
From: Wen Yang <wenyang.linux@foxmail.com>
Since eventfd's document has clearly stated: A write(2) call adds
the 8-byte integer value supplied in its buffer to the counter.
However, in the current implementation, the following code snippet
did not cause an error:
char str[16] = "hello world";
uint64_t value;
ssize_t size;
int fd;
fd = eventfd(0, 0);
size = write(fd, &str, strlen(str));
printf("eventfd: test writing a string, size=%ld\n", size);
size = read(fd, &value, sizeof(value));
printf("eventfd: test reading as uint64, size=%ld, valus=0x%lX\n",
size, value);
close(fd);
And its output is:
eventfd: test writing a string, size=8
eventfd: test reading as uint64, size=8, valus=0x6F77206F6C6C6568
By checking whether count is equal to sizeof(ucnt), such errors
could be detected. It also follows the requirements of the manual.
Signed-off-by: Wen Yang <wenyang.linux@foxmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Eric Biggers <ebiggers@google.com>
Cc: <linux-fsdevel@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
---
fs/eventfd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/eventfd.c b/fs/eventfd.c
index fc4d81090763..9afdb722fa92 100644
--- a/fs/eventfd.c
+++ b/fs/eventfd.c
@@ -251,7 +251,7 @@ static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t c
ssize_t res;
__u64 ucnt;
- if (count < sizeof(ucnt))
+ if (count != sizeof(ucnt))
return -EINVAL;
if (copy_from_user(&ucnt, buf, sizeof(ucnt)))
return -EFAULT;
--
2.25.1
next reply other threads:[~2024-02-06 16:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 16:35 wenyang.linux [this message]
2024-02-07 9:56 ` [PATCH] eventfd: strictly check the count parameter of eventfd_write to avoid inputting illegal strings Christian Brauner
2024-02-07 9:58 ` Christian Brauner
2024-02-08 4:33 ` Eric Biggers
2024-02-08 5:34 ` Wen Yang
2024-02-09 10:18 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_10AAA44731FFFA493F9F5501521F07DD4D0A@qq.com \
--to=wenyang.linux@foxmail.com \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=dwmw@amazon.co.uk \
--cc=ebiggers@google.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.