[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-aio
Subject:    io_getevents() segfaults
From:       Cyril Hrubis <chrubis () suse ! cz>
Date:       2011-03-23 16:47:50
Message-ID: 20110323171023.GA11252 () saboteur ! suse ! cz
[Download RAW message or body]

Hi!
I've been fixing libaio tests in LTP and found that io_getevents() may
segfault on random ctx.

The manual however says that we should get EINVAL in this case.

The cause for this is code in io_getevents() that dereferences ctx to
check for empty queue.

I've been told by Jeff that this code was flawed and not really
implemented anyway so attached patch simply removes it.

-- 
Cyril Hrubis
chrubis@suse.cz

["0001-Remove-shared-buffer-code.patch" (text/x-patch)]

From c6c6abc0a7125704da68f3898cf4ac39123a6da1 Mon Sep 17 00:00:00 2001
From: Cyril Hrubis <chrubis@saboteur.suse.cz>
Date: Wed, 23 Mar 2011 17:42:46 +0100
Subject: [PATCH] Remove shared buffer code.

When invalid ctx is passed, it's dereferenced and,
when the value is out of program allocated memory,
the dereference causes segfault.

Signed-off-by: Cyril Hrubis <chrubis@saboteur.suse.cz>
---
 src/io_getevents.c |   25 -------------------------
 1 files changed, 0 insertions(+), 25 deletions(-)

diff --git a/src/io_getevents.c b/src/io_getevents.c
index 5a05174..874cf39 100644
--- a/src/io_getevents.c
+++ b/src/io_getevents.c
@@ -24,33 +24,8 @@
 
 io_syscall5(int, __io_getevents_0_4, io_getevents, io_context_t, ctx, long, min_nr, \
long, nr, struct io_event *, events, struct timespec *, timeout)  
-#define AIO_RING_MAGIC                  0xa10a10a1
-
-/* Ben will hate me for this */
-struct aio_ring {
-	unsigned        id;     /* kernel internal index number */
-	unsigned        nr;     /* number of io_events */
-	unsigned        head;
-	unsigned        tail;
- 
-	unsigned        magic;
-	unsigned        compat_features;
-	unsigned        incompat_features;
-	unsigned        header_length;  /* size of aio_ring */
-};
-
 int io_getevents_0_4(io_context_t ctx, long min_nr, long nr, struct io_event * \
events, struct timespec * timeout)  {
-	struct aio_ring *ring;
-	ring = (struct aio_ring*)ctx;
-	if (ring==NULL || ring->magic != AIO_RING_MAGIC)
-		goto do_syscall;
-	if (timeout!=NULL && timeout->tv_sec == 0 && timeout->tv_nsec == 0) {
-		if (ring->head == ring->tail)
-			return 0;
-	}
-	
-do_syscall:	
 	return __io_getevents_0_4(ctx, min_nr, nr, events, timeout);
 }
 
-- 
1.6.4.2


--
To unsubscribe, send a message with 'unsubscribe linux-aio' in
the body to majordomo@kvack.org.  For more info on Linux AIO,
see: http://www.kvack.org/aio/
Don't email: <a href=mailto:"aart@kvack.org">aart@kvack.org</a>

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic