[dm-devel] [PATCH] dm-ioctl.c: Don't overrun ioctl buffer
Kevin Corry
kevcorry at us.ibm.com
Mon Apr 5 21:01:57 UTC 2004
In retrieve_status(), we should make sure there is still space remaining in
the ioctl buffer before calling the target's status() routine. In devices
with lots of targets, this can cause a segfault when getting the device
status or table from user-space.
Example:
Create a device with 500 linear targets. Then get the status or table for that
device. Either one will cause a segfault in retrieve_status(). For me it's
usually around the 334th target.
for ((a=0; $a<500; a=$a+1))
do
echo "$a 1 linear /dev/hdb1 0" >> 500_linears
done
dmsetup create 500_linears 500_linears
dmsetup status 500_linears
Looks like 2.4 could use this patch as well.
--
Kevin Corry
kevcorry at us.ibm.com
http://evms.sourceforge.net/
In retrieve_status(), make sure we don't overrun the ioctl buffer.
--- diff/drivers/md/dm-ioctl.c 2004-04-05 15:18:48.000000000 -0500
+++ source/drivers/md/dm-ioctl.c 2004-04-05 15:18:35.000000000 -0500
@@ -815,6 +815,10 @@
outptr += sizeof(struct dm_target_spec);
remaining = len - (outptr - outbuf);
+ if (remaining <= 0) {
+ param->flags |= DM_BUFFER_FULL_FLAG;
+ break;
+ }
/* Get the status/table string from the target driver */
if (ti->type->status) {
More information about the dm-devel
mailing list