Re: [dev] sbase: od: bug report

From: Dimitris Papastamos <sin_AT_2f30.org>
Date: Mon, 26 Oct 2015 16:35:08 +0000

On Mon, Oct 26, 2015 at 05:26:21PM +0100, FRIGN wrote:
> On Mon, 26 Oct 2015 11:00:54 -0400
> Greg Reagle <greg.reagle_AT_umbc.edu> wrote:
>
> Hey Greg,
>
> > Since there is no accompanying patch/fix, I am using dev rather than
> > hackers.
>
> thank you very much for this bug report! I still think this should be
> on hackers_AT_ though.
>
> > Command od doesn't seem to like multiple file arguments. See attached.
>
> Looking into the issue, I found the following problem roughly at the
> same time Dimitris did:
>
> while (skip - addr) {
>
> Normally, skip is 0, and on the first file, addr is 0 as well, so the
> overflow issue was masked.
> However, when od() was called with a second file, addr was > 0 and it
> would enter the loop, resulting in all sorts of strangeness.

To elaborate a bit at this point, the negative value (skip - addr) is
interpreted as a large unsigned value. The kernel will try to do a copy_to_user()
with a very large length field. It will fault at some point because
user memory is either not mapped or writeable and return -EFAULT
through the read syscall.

Quick way to find this is to use strace(1) and see which syscall fails.
Received on Mon Oct 26 2015 - 17:35:08 CET