Strange echo behaviour

Peter Korsgaard jacmet at
Thu Jan 27 09:30:45 UTC 2011

>>>>> "Baruch" == Baruch Siach <baruch at> writes:

 Baruch> Another related problem that I've observed with echo goes as follows:

 Baruch> ./strace-armv5l sh -c 'echo test > /dev/input/event0'

 Baruch> shows:

 Baruch> write(1, "test\n", 5)                   = 16
 Baruch> write(1, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2147483647) = -1 EFAULT (Bad address)

That's a kernel bug. You are supposed to write 16byte long input_event
structures and not text strings, and evdec.c only checks if it can
successfully copy_from_user 16 bytes. Depending on malloc
implementation, the following 11 bytes after the text string are
probably also within the address space of the process.

The fix would be something like:

diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index c8471a2..61fa24e 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -330,7 +330,7 @@ static ssize_t evdev_write(struct file *file, const char __u
                goto out;
-       while (retval < count) {
+       while ((retval + input_event_size()) <= count) {
                if (input_event_from_user(buffer + retval, &event)) {
                        retval = -EFAULT;

I'll send a patch to the linux-input list.

Bye, Peter Korsgaard

More information about the busybox mailing list