Description of problem: The following program seems return incorrect values on Dell systems with dell_rbu (Dell Remote Bios Update Driver) loaded, char s[4096]; n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY); m = read(n, s, 0); n = open("/sys/firmware/rbu/rbudatasize", O_RDONLY); m = read(n, s, 0); Before applied the patch for bug 482866 - CVE-2009-0322 kernel: dell_rbu local oops (2.6.9-78.EL), read(2) returns the whole content, read(3, "0\n", 0) = 2 read(4, "0\n", 0) = 2 By using the kernel has the patch like 2.6.9-78.0.17.EL, it returns -1 and EPERM, and then fills the string with some garbage by either normal user or root. read(3, 0x7fbfffe970, 0) = -1 EPERM (Operation not permitted) read(4, 0x7fbfffe970, 0) = -1 EPERM (Operation not permitted) From "man 2 read", If count is zero, read() returns zero and has no other results. So, both behaviours look like incorrect. Version-Release number of selected component (if applicable): kernel-2.6.9-78.EL kernel-2.6.9-78.0.17.EL How reproducible: always Steps to Reproduce: 1. reserve a newer Dell systems has dell_rbu like dell-pe1850-01.rhts.bos.redhat.com dell-pe2900-03.rhts.bos.redhat.com 2. modproble dell_rbu 3. compile and run the reproducer, #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> int main(void) { int n,m; char s[4096]; n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY); perror("open"); m = read(n, s, 0); printf("m = %d\n", m); m = open("/sys/firmware/rbu/rbudatasize", O_RDONLY); printf("m = %d\n", m); n = read(m, s, 0); printf("n = %d\n", n); return 0; } Actual results: 2.6.9-78.EL: open: Success m = 2 m = 4 n = 2 2.6.9-78.0.17.EL: open: Success m = -1 m = 4 n = -1 Expected results: open: Success m = 0 m = 4 n = 0 Additional info:
Correction -- there is no garbage returns by read(2). Sorry, I have mistaken thought of that string address as garbage. So, I don't think it is security related at all.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
correct patch went upstream: http://marc.info/?l=linux-kernel&m=129224914901034&w=2
Created attachment 471819 [details] backported patch backport of: ea6f3281a145d16ed53e88b0627f78d5cde6068f b903c0b8899b46829a9b80ba55b61079b35940ec http://marc.info/?l=linux-kernel&m=129224914901034&w=2