LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Sun, 18 Jun 2000 20:36:35 +0930

system write(2) call bounds checking

Technical question about linux kernel.

Does anyone happen to know anthing about how the
system write(2) call should check bounds of its
arguments?

I've got a situation where a call to the system
write(2) function with a parameter of 4294967295 bytes
(i.e. -1 bytes accidentally converted to unsigned long
due to someone _else's_ bug) is causing a system hang.
Not just a crash - it's a complete hang. All activity stops.

In the file /usr/src/linux/fs/read_write.c, I found this:

=========================================================
    ret = locks_verify_area(FLOCK_VERIFY_WRITE, inode, file,
         file->f_pos, count);  
=========================================================

in the function 

asmlinkage ssize_t sys_write(unsigned int fd, const char * buf, size_t count) 

which I assume must be the kernel's write-function.
This should really reject the count-value and
life should go on.
But it doesn't.

Since this seems like a bit of a show-stopper for the
linux reliability idea, I'm a bit worried about it.
System calls with faulty arguments should not cause a
system hang - even if running as root.

By the way, the device driver for the device in question was
the Nicstar ATM card driver, and I've notified the linux-ATM
list. But it seems to me to be a bit more fundamental
than just the ATM software.

I once joined the linux kernel mailing list, but my disk drive
was not large enough. So I unsubscribed.

Cheers,
Alan Kennington.


-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject