[RFC/PATCH v1 1/3] fix decoder of ioctl EVIOCGBIT

Dmitry V. Levin ldv at altlinux.org
Sun Aug 19 08:04:02 UTC 2018


On Sat, Aug 18, 2018 at 06:45:52PM +0800, Zhibin Li wrote:
> OK, it's in linux/drivers/input/evdev.c:
> line 812: in function handle_eviocgbit:
> return bits_to_user(bits, len, size, p, compat_mode);
> and then in function bits_to_user:
> int len = BITS_TO_LONGS(maxbit) * sizeof(long);
> ...
> return copy_to_user(p, bits, len) ? -EFAULT : len;
> Correct me if I'm wrong, thanks :)

I wish you've written something like this in the commit message. :)
I suggest to apply the fix as a separate commit, e.g.

Subject: [PATCH] evdev: fix decoding of bit sets

According to drivers/input/evdev.c:bits_to_user(),
the Linux kernel returns the number of bytes, not bits.

* evdev.c (decode_bitset_): Treat syscall return value as the number
of bytes.

diff --git a/evdev.c b/evdev.c
index 7ca15c9dd..3c1aaa8e2 100644
--- a/evdev.c
+++ b/evdev.c
@@ -171,10 +171,10 @@ decode_bitset_(struct tcb *const tcp, const kernel_ulong_t arg,
 	tprints(", ");
 
 	unsigned int size;
-	if ((kernel_ulong_t) tcp->u_rval > max_nr)
+	if ((kernel_ulong_t) tcp->u_rval > max_nr / 8)
 		size = max_nr;
 	else
-		size = tcp->u_rval;
+		size = tcp->u_rval * 8;
 	char decoded_arg[size];
 
 	if (umove_or_printaddr(tcp, arg, &decoded_arg))

What do you think?


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180819/24b73e27/attachment.bin>


More information about the Strace-devel mailing list