This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 489638 - Incorrect Read(2) of /sys/firmware/rbu/ Entries with Count 0
Incorrect Read(2) of /sys/firmware/rbu/ Entries with Count 0
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.7.z
All Linux
low Severity low
: rc
: ---
Assigned To: Anton Arapov
Red Hat Kernel QE team
:
Depends On:
Blocks: 667327 667328
  Show dependency treegraph
 
Reported: 2009-03-10 22:26 EDT by CAI Qian
Modified: 2014-06-18 04:02 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 667327 667328 (view as bug list)
Environment:
Last Closed: 2011-01-26 22:54:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backported patch (1.58 KB, patch)
2011-01-05 03:57 EST, Anton Arapov
no flags Details | Diff

  None (edit)
Description CAI Qian 2009-03-10 22:26:31 EDT
Description of problem: The following program seems return incorrect values on Dell systems with dell_rbu (Dell Remote Bios Update Driver) loaded,

char s[4096];

n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY);
m = read(n, s, 0);
n = open("/sys/firmware/rbu/rbudatasize", O_RDONLY);
m = read(n, s, 0);

Before applied the patch for bug 482866 - CVE-2009-0322 kernel: dell_rbu local oops (2.6.9-78.EL), read(2) returns the whole content,

read(3, "0\n", 0)                       = 2
read(4, "0\n", 0)                       = 2

By using the kernel has the patch like 2.6.9-78.0.17.EL, it returns -1 and EPERM, and then fills the string with some garbage by either normal user or root.

read(3, 0x7fbfffe970, 0)                = -1 EPERM (Operation not permitted)
read(4, 0x7fbfffe970, 0)                = -1 EPERM (Operation not permitted)

From "man 2 read",

  If count is zero, read() returns zero and has no other results.

So, both behaviours look like incorrect. 

Version-Release number of selected component (if applicable):
kernel-2.6.9-78.EL
kernel-2.6.9-78.0.17.EL

How reproducible:
always

Steps to Reproduce:
1. reserve a newer Dell systems has dell_rbu like
   dell-pe1850-01.rhts.bos.redhat.com
   dell-pe2900-03.rhts.bos.redhat.com

2. modproble dell_rbu
3. compile and run the reproducer,
   #include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>

int
main(void)
{
        int n,m;
        char s[4096];

        n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY);
        perror("open");

        m = read(n, s, 0);
        printf("m = %d\n", m);

        m = open("/sys/firmware/rbu/rbudatasize", O_RDONLY);
        printf("m = %d\n", m);

        n = read(m, s, 0);
        printf("n = %d\n", n);

        return 0;
}


  
Actual results:
2.6.9-78.EL:
open: Success
m = 2
m = 4
n = 2

2.6.9-78.0.17.EL:
open: Success
m = -1
m = 4
n = -1

Expected results:
open: Success
m = 0
m = 4
n = 0


Additional info:
Comment 1 CAI Qian 2009-03-10 22:53:15 EDT
Correction -- there is no garbage returns by read(2). Sorry, I have mistaken thought of that string address as garbage. So, I don't think it is security related at all.
Comment 2 RHEL Product and Program Management 2009-03-23 11:27:51 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 RHEL Product and Program Management 2010-12-10 15:39:53 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Anton Arapov 2010-12-13 09:15:42 EST
correct patch went upstream:
  http://marc.info/?l=linux-kernel&m=129224914901034&w=2
Comment 6 Anton Arapov 2011-01-05 03:57:55 EST
Created attachment 471819 [details]
backported patch

backport of:
ea6f3281a145d16ed53e88b0627f78d5cde6068f
b903c0b8899b46829a9b80ba55b61079b35940ec
http://marc.info/?l=linux-kernel&m=129224914901034&w=2

Note You need to log in before you can comment on or make changes to this bug.