Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185242 Summary: ioctl default minimum argument length of 256 should be restored Product: Fedora Core Version: fc4 Platform: All URL: http://rt.perl.org/rt3/Ticket/Display.html?id=38223 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: perl AssignedTo: jvdias(a)redhat.com ReportedBy: jvdias(a)redhat.com QAContact: dkl(a)redhat.com CC: fedora-perl-devel-list@redhat.com,prockai(a)redhat.com +++ This bug was initially created as a clone of Bug #185240 +++ Description of problem: This is perl bug request ticket 38223 . Owing to the fix for bug 171111, where the length bitfield of the ioctl number argument, which specifies the length of the optional RD ioctl output third argument, was not being extracted correctly, and perl used 256 as the minimum length of the third argument in all cases, perl now does not ascribe any minimum length to the third argument unless the length bitfield is specified. This has the result that unless the length bitfield of the ioctl number is specified, a third argument of a buffer with insufficient length for the ioctl output will be overflowed, and perl will suffer a buffer overflow and a potential memory access violation or memory corruption, as generated by the following code (from perlbug RT# 38223): #!/usr/bin/perl require 'sys/ioctl.ph'; die "no TIOCGWINSZ " unless defined &TIOCGWINSZ; open(TTY, "+</dev/tty") or die "No tty: $!"; unless (ioctl(TTY, &TIOCGWINSZ, $winsize='')) { die sprintf "$0: ioctl TIOCGWINSZ (%08x: $!)\n", &TIOCGWINSZ; } ($row, $col, $xpixel, $ypixel) = unpack('S4', $winsize); print "(row,col) = ($row,$col)"; print " (xpixel,ypixel) = ($xpixel,$ypixel)" if $xpixel || $ypixel; print "\n"; Perl now correctly detects the buffer overflow: Possible memory corruption: ioctl overflowed 3rd argument at ./bug38223.pl line 5. This would not have occurred with perl versions before perl-5.8.6-18, because the length of all the ioctl third output arguments was made a minimum of 256 bytes. The overflow would not have occurred if the ioctl call had been : ioctl(TTY, &TIOCGWINSZ, $winsize='x'x16) or ioctl(TTY, &TIOCGWINSZ | (16 << &_IOC_SIZESHIFT), $winsize='') The default size of 256 has been restored in the latest upstream patch for this issue: ==== //depot/perl/perl.h#657 (text) ==== Index: perl/perl.h --- perl/perl.h.~1~ Fri Jan 13 04:10:49 2006 +++ perl/perl.h Fri Jan 13 04:10:49 2006 @@ -2977,8 +2977,8 @@ # define IOCPARM_LEN(x) (((x) >> 16) & \ # IOCPARM_MASK) # else # if defined(_IOC_SIZE) && defined(__GLIBC__) - /* on Linux systems we're safe */ -# define IOCPARM_LEN(x) _IOC_SIZE(x) + /* on Linux systems we're safe; except when we're not [perl #38223] */ +# define IOCPARM_LEN(x) (_IOC_SIZE(x) < 256 ? 256 : \ _IOC_SIZE(x)) # else /* otherwise guess at what's safe */ # define IOCPARM_LEN(x) 256 End of Patch. Version-Release number of selected component (if applicable): perl-5.8.6-22 How reproducible: 100% Steps to Reproduce: Invoke a READ ioctl with a 0 length bitfield and and output buffer third argument of insufficient length to hold the potential ioctl output. Actual results: Perl exits with error: Possible memory corruption: ioctl overflowed 3rd argument Expected results: Perl should enforce a minimum length of 256 bytes for the ioctl output buffer. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.