Bug 185240 - ioctl default minimum argument length of 256 should be restored
Summary: ioctl default minimum argument length of 256 should be restored
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: perl
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jason Vas Dias
QA Contact: David Lawrence
URL: http://rt.perl.org/rt3/Ticket/Display...
Whiteboard:
Depends On:
Blocks: 185241 185242 187538
TreeView+ depends on / blocked
 
Reported: 2006-03-12 18:53 UTC by Jason Vas Dias
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2006-0426
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-18 13:29:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0426 0 normal SHIPPED_LIVE perl bug fix update 2006-05-18 04:00:00 UTC

Description Jason Vas Dias 2006-03-12 18:53:43 UTC
Description of problem:
This is perl bug request ticket 38223 .

Owing to the fix for bug 171111, where the length bitfield of the ioctl 
number argument, which specifies the length of the optional RD ioctl output
third argument, was not being extracted correctly, and perl used 256 as the 
minimum length of the third argument in all cases, perl now does not ascribe 
any minimum length to the third argument unless the length bitfield is
specified.

This has the result that unless the length bitfield of the ioctl number is
specified, a third argument of a buffer with insufficient length for the
ioctl output will be overflowed, and perl will suffer a buffer overflow
and a potential memory access violation or memory corruption, 
as generated by the following code (from perlbug RT# 38223):

#!/usr/bin/perl
require 'sys/ioctl.ph';
die "no TIOCGWINSZ " unless defined &TIOCGWINSZ;
open(TTY, "+</dev/tty") or die "No tty: $!";
unless (ioctl(TTY, &TIOCGWINSZ, $winsize='')) {
die sprintf "$0: ioctl TIOCGWINSZ (%08x: $!)\n", &TIOCGWINSZ;
}
($row, $col, $xpixel, $ypixel) = unpack('S4', $winsize);
print "(row,col) = ($row,$col)";
print " (xpixel,ypixel) = ($xpixel,$ypixel)" if $xpixel || $ypixel;
print "\n";

Perl now correctly detects the buffer overflow:

Possible memory corruption: ioctl overflowed 3rd argument at ./bug38223.pl 
line 5.

This would not have occurred with perl versions before perl-5.8.5-18.RHEL4 ,
because the length of all the ioctl third output arguments was made a 
minimum of 256 bytes.

The overflow would not have occurred if the ioctl call had been :
  ioctl(TTY, &TIOCGWINSZ, $winsize='x'x16)
or 
  ioctl(TTY, &TIOCGWINSZ | (16 << &_IOC_SIZESHIFT), $winsize='')

The default size of 256 has been restored in the latest upstream patch for 
this issue:

==== //depot/perl/perl.h#657 (text) ====
Index: perl/perl.h
--- perl/perl.h.~1~ Fri Jan 13 04:10:49 2006
+++ perl/perl.h Fri Jan 13 04:10:49 2006
@@ -2977,8 +2977,8 @@
# define IOCPARM_LEN(x) (((x) >> 16) & \ # IOCPARM_MASK)
# else
# if defined(_IOC_SIZE) && defined(__GLIBC__)
- /* on Linux systems we're safe */
-# define IOCPARM_LEN(x) _IOC_SIZE(x)
+ /* on Linux systems we're safe; except when we're not [perl #38223] */
+# define IOCPARM_LEN(x) (_IOC_SIZE(x) < 256 ? 256 : \ _IOC_SIZE(x))
# else
/* otherwise guess at what's safe */
# define IOCPARM_LEN(x) 256
End of Patch.

Version-Release number of selected component (if applicable):
perl-5.8.5-22.RHEL4

How reproducible:
100%

Steps to Reproduce:
Invoke a READ ioctl with a 0 length bitfield and and output buffer 
third argument of insufficient length to hold the potential ioctl output. 
  
Actual results:
Perl exits with error:
Possible memory corruption: ioctl overflowed 3rd argument

Expected results:
Perl should enforce a minimum length of 256 bytes for the ioctl output buffer.

Comment 1 Jason Vas Dias 2006-03-14 15:03:14 UTC
Fixed with perl-5.8.5-26.RHEL4, available for download and testing from:
  http://people.redhat.com/~jvdias/perl/RHEL-4


Comment 5 Jason Vas Dias 2006-04-14 15:27:29 UTC
(In reply to comment #4)
> My customer (Philips) claims the same bug is in RHEL3's Perl as well, could we
> fix perlbug RT# 38223 there as well?
> 
Yes, the clone of this bug for RHEL-3 (bug 185241) is fixed in perl-5.8.0-92.EL3,
queued for delivery in the RHEL-3 FastTrack channel. The RPMs are also available
here: http://people.redhat.com/~jvdias/perl/RHEL-3 .


Comment 9 Red Hat Bugzilla 2006-05-18 13:29:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0426.html



Note You need to log in before you can comment on or make changes to this bug.