Strange echo behaviour

Peter Korsgaard jacmet at sunsite.dk
Thu Jan 27 09:30:45 UTC 2011


>>>>> "Baruch" == Baruch Siach <baruch at tkos.co.il> writes:

 Baruch> Another related problem that I've observed with echo goes as follows:

 Baruch> ./strace-armv5l sh -c 'echo test > /dev/input/event0'

 Baruch> shows:

 Baruch> write(1, "test\n", 5)                   = 16
 Baruch> write(1, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2147483647) = -1 EFAULT (Bad address)

That's a kernel bug. You are supposed to write 16byte long input_event
structures and not text strings, and evdec.c only checks if it can
successfully copy_from_user 16 bytes. Depending on malloc
implementation, the following 11 bytes after the text string are
probably also within the address space of the process.

The fix would be something like:

diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index c8471a2..61fa24e 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -330,7 +330,7 @@ static ssize_t evdev_write(struct file *file, const char __u
                goto out;
        }
 
-       while (retval < count) {
+       while ((retval + input_event_size()) <= count) {
 
                if (input_event_from_user(buffer + retval, &event)) {
                        retval = -EFAULT;

I'll send a patch to the linux-input list.

-- 
Bye, Peter Korsgaard


More information about the busybox mailing list