eventfd: strictly check the count parameter of eventfd_write to avoid inputting illegal strings
Since eventfd's document has clearly stated: A write(2) call adds the 8-byte integer value supplied in its buffer to the counter. However, in the current implementation, the following code snippet did not cause an error: char str[16] = "hello world"; uint64_t value; ssize_t size; int fd; fd = eventfd(0, 0); size = write(fd, &str, strlen(str)); printf("eventfd: test writing a string, size=%ld\n", size); size = read(fd, &value, sizeof(value)); printf("eventfd: test reading as uint64, size=%ld, valus=0x%lX\n", size, value); close(fd); And its output is: eventfd: test writing a string, size=8 eventfd: test reading as uint64, size=8, valus=0x6F77206F6C6C6568 By checking whether count is equal to sizeof(ucnt), such errors could be detected. It also follows the requirements of the manual. Signed-off-by: Wen Yang <wenyang.linux@foxmail.com> Link: https://lore.kernel.org/r/tencent_10AAA44731FFFA493F9F5501521F07DD4D0A@qq.com Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Jens Axboe <axboe@kernel.dk> Cc: Christian Brauner <brauner@kernel.org> Cc: Jan Kara <jack@suse.cz> Cc: David Woodhouse <dwmw@amazon.co.uk> Cc: Matthew Wilcox <willy@infradead.org> Cc: Eric Biggers <ebiggers@google.com> Cc: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org>
This commit is contained in:
parent
11b3f8ae70
commit
d31563b5f9
@ -251,7 +251,7 @@ static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t c
|
|||||||
ssize_t res;
|
ssize_t res;
|
||||||
__u64 ucnt;
|
__u64 ucnt;
|
||||||
|
|
||||||
if (count < sizeof(ucnt))
|
if (count != sizeof(ucnt))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
if (copy_from_user(&ucnt, buf, sizeof(ucnt)))
|
if (copy_from_user(&ucnt, buf, sizeof(ucnt)))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
Loading…
Reference in New Issue
Block a user