Problem about Kernel oops

homeboy · January 7, 2012, 8:39am

hello,everyone,I'm reading LDD3.Topics about oops,it said the code bellow would cause a fault condition because "this method copies a string to a local variable,unfortunately,the string is longer than the destination array".Well,hard to understand....Is that right?I thought the fault should be caused by the wrong memset,it overwrite the function stack,the value of __user is 0xff now.will anyone tell me what happened here?Thanks;

size_t fauly_read(struct file *filp, char __user *buf, size_t count, loff_t *pos)
{
      int ret;
      char stack_buf[4];

      memset(stack_buf, 0xff, 20);
      if(count > 4)
           count  = 4;

      ret = copy_to_user(buf, stack_buf, count);
      if(!ret)
          return count;

      return ret;
}

Corona688 · January 7, 2012, 4:39pm

homeboy:

hello,everyone,I'm reading LDD3.Topics about oops,it said the code bellow would cause a fault condition because "this method copies a string to a local variable,unfortunately,the string is longer than the destination array".Well,hard to understand....Is that right?I thought the fault should be caused by the wrong memset,it overwrite the function stack,the value of __user is 0xff now.will anyone tell me what happened here?Thanks;
size_t fauly_read(struct file *filp, char __user *buf, size_t count, loff_t *pos)
{
   int ret;
   char stack_buf[4];

   memset(stack_buf, 0xff, 20);
   if(count > 4)
   count  = 4;

   ret = copy_to_user(buf, stack_buf, count);
   if(!ret)
   return count;

   return ret;
}

It's writing 20 bytes to an array 4 bytes long, rampaging 16 more bytes across memory it shouldn't, trashing things like local variable values, function parameters, and return locations, all of which are kept in the same general area of stack here.

You're both right, in other words. There's many possible problems that could be caused by this, not just corruption of the return vector. If you're lucky, it crashes immediately. If you're unlucky, it puts bizarre values into your local variables and function parameters, causing behavior that's very difficult to rationally explain.