Bug 489638
| Summary: | Incorrect Read(2) of /sys/firmware/rbu/ Entries with Count 0 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Qian Cai <qcai> | ||||
| Component: | kernel | Assignee: | Anton Arapov <anton> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Red Hat Kernel QE team <kernel-qe> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 4.7.z | CC: | eteo, jtluka, nobody, vmayatsk | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 667327 667328 (view as bug list) | Environment: | |||||
| Last Closed: | 2011-01-27 03:54:52 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 667327, 667328 | ||||||
| Attachments: |
|
||||||
Correction -- there is no garbage returns by read(2). Sorry, I have mistaken thought of that string address as garbage. So, I don't think it is security related at all. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. correct patch went upstream: http://marc.info/?l=linux-kernel&m=129224914901034&w=2 Created attachment 471819 [details] backported patch backport of: ea6f3281a145d16ed53e88b0627f78d5cde6068f b903c0b8899b46829a9b80ba55b61079b35940ec http://marc.info/?l=linux-kernel&m=129224914901034&w=2 |
Description of problem: The following program seems return incorrect values on Dell systems with dell_rbu (Dell Remote Bios Update Driver) loaded, char s[4096]; n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY); m = read(n, s, 0); n = open("/sys/firmware/rbu/rbudatasize", O_RDONLY); m = read(n, s, 0); Before applied the patch for bug 482866 - CVE-2009-0322 kernel: dell_rbu local oops (2.6.9-78.EL), read(2) returns the whole content, read(3, "0\n", 0) = 2 read(4, "0\n", 0) = 2 By using the kernel has the patch like 2.6.9-78.0.17.EL, it returns -1 and EPERM, and then fills the string with some garbage by either normal user or root. read(3, 0x7fbfffe970, 0) = -1 EPERM (Operation not permitted) read(4, 0x7fbfffe970, 0) = -1 EPERM (Operation not permitted) From "man 2 read", If count is zero, read() returns zero and has no other results. So, both behaviours look like incorrect. Version-Release number of selected component (if applicable): kernel-2.6.9-78.EL kernel-2.6.9-78.0.17.EL How reproducible: always Steps to Reproduce: 1. reserve a newer Dell systems has dell_rbu like dell-pe1850-01.rhts.bos.redhat.com dell-pe2900-03.rhts.bos.redhat.com 2. modproble dell_rbu 3. compile and run the reproducer, #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> int main(void) { int n,m; char s[4096]; n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY); perror("open"); m = read(n, s, 0); printf("m = %d\n", m); m = open("/sys/firmware/rbu/rbudatasize", O_RDONLY); printf("m = %d\n", m); n = read(m, s, 0); printf("n = %d\n", n); return 0; } Actual results: 2.6.9-78.EL: open: Success m = 2 m = 4 n = 2 2.6.9-78.0.17.EL: open: Success m = -1 m = 4 n = -1 Expected results: open: Success m = 0 m = 4 n = 0 Additional info: