On Mon, 28 Dec 2015, Bjorn Andersson wrote: > On Fri, Dec 4, 2015 at 12:24 AM, Lee Jones <lee.jones@xxxxxxxxxx> wrote: > > On Thu, 03 Dec 2015, Arnd Bergmann wrote: > > > >> On Thursday 03 December 2015 17:28:30 Lee Jones wrote: > >> > > > >> > > Ah, interesting. I haven't tried myself, and just tried to read the > >> > > code. Maybe glibc already catches zero-length writes before it gets > >> > > into the kernel, or I just missed the part of the syscall that checks > >> > > for this. > >> > > >> > Glibc is responsible indeed: > >> > > >> > http://osxr.org/glibc/source/io/write.c > >> > >> Ok, so an attacker can force the stack overflow by calling > >> syscall(__NR_write, fd, p, 0) if that has any potential value, > >> but normal users won't hit this case. > > > > Right. I have fixed the issue (and another one I found) anyway, if > > only to rid the GCC warning. > > > > Sorry, but I'm unable to find a new version of this patch, did I miss > it or could you resend it? I didn't send it out. Just looking at this again, post-vacation. > Also, as I looked at this again, we should probably return an error if > count >= sizeof(buf) rather than just acknowledging the input (same in > the other debugfs write function in this file). Sure. -- Lee Jones Linaro STMicroelectronics Landing Team Lead Linaro.org │ Open source software for ARM SoCs Follow Linaro: Facebook | Twitter | Blog -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
