Bug 489638 - Incorrect Read(2) of /sys/firmware/rbu/ Entries with Count 0
Summary: Incorrect Read(2) of /sys/firmware/rbu/ Entries with Count 0
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.7.z
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Anton Arapov
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks: 667327 667328
TreeView+ depends on / blocked
 
Reported: 2009-03-11 02:26 UTC by Qian Cai
Modified: 2014-06-18 08:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 667327 667328 (view as bug list)
Environment:
Last Closed: 2011-01-27 03:54:52 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
backported patch (1.58 KB, patch)
2011-01-05 08:57 UTC, Anton Arapov
no flags Details | Diff

Description Qian Cai 2009-03-11 02:26:31 UTC
Description of problem: The following program seems return incorrect values on Dell systems with dell_rbu (Dell Remote Bios Update Driver) loaded,

char s[4096];

n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY);
m = read(n, s, 0);
n = open("/sys/firmware/rbu/rbudatasize", O_RDONLY);
m = read(n, s, 0);

Before applied the patch for bug 482866 - CVE-2009-0322 kernel: dell_rbu local oops (2.6.9-78.EL), read(2) returns the whole content,

read(3, "0\n", 0)                       = 2
read(4, "0\n", 0)                       = 2

By using the kernel has the patch like 2.6.9-78.0.17.EL, it returns -1 and EPERM, and then fills the string with some garbage by either normal user or root.

read(3, 0x7fbfffe970, 0)                = -1 EPERM (Operation not permitted)
read(4, 0x7fbfffe970, 0)                = -1 EPERM (Operation not permitted)

From "man 2 read",

  If count is zero, read() returns zero and has no other results.

So, both behaviours look like incorrect. 

Version-Release number of selected component (if applicable):
kernel-2.6.9-78.EL
kernel-2.6.9-78.0.17.EL

How reproducible:
always

Steps to Reproduce:
1. reserve a newer Dell systems has dell_rbu like
   dell-pe1850-01.rhts.bos.redhat.com
   dell-pe2900-03.rhts.bos.redhat.com

2. modproble dell_rbu
3. compile and run the reproducer,
   #include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>

int
main(void)
{
        int n,m;
        char s[4096];

        n = open("/sys/firmware/rbu/packetdatasize", O_RDONLY);
        perror("open");

        m = read(n, s, 0);
        printf("m = %d\n", m);

        m = open("/sys/firmware/rbu/rbudatasize", O_RDONLY);
        printf("m = %d\n", m);

        n = read(m, s, 0);
        printf("n = %d\n", n);

        return 0;
}


  
Actual results:
2.6.9-78.EL:
open: Success
m = 2
m = 4
n = 2

2.6.9-78.0.17.EL:
open: Success
m = -1
m = 4
n = -1

Expected results:
open: Success
m = 0
m = 4
n = 0


Additional info:

Comment 1 Qian Cai 2009-03-11 02:53:15 UTC
Correction -- there is no garbage returns by read(2). Sorry, I have mistaken thought of that string address as garbage. So, I don't think it is security related at all.

Comment 2 RHEL Program Management 2009-03-23 15:27:51 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 3 RHEL Program Management 2010-12-10 20:39:53 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Anton Arapov 2010-12-13 14:15:42 UTC
correct patch went upstream:
  http://marc.info/?l=linux-kernel&m=129224914901034&w=2

Comment 6 Anton Arapov 2011-01-05 08:57:55 UTC
Created attachment 471819 [details]
backported patch

backport of:
ea6f3281a145d16ed53e88b0627f78d5cde6068f
b903c0b8899b46829a9b80ba55b61079b35940ec
http://marc.info/?l=linux-kernel&m=129224914901034&w=2


Note You need to log in before you can comment on or make changes to this bug.