Bugme bug 4326: http://bugme.osdl.org/show_bug.cgi?id=4326 reports:
> Problem Description:
> On executing the systemcall readv with Bad argument
> (iovec->len == -1) it gives out error EFAULT instead of EINVAL
This is not a serious bug, but is a slight behavior change. This changeset:
http://linus.bkbits.net:8080/linux-2.5/[EMAIL
PROTECTED]|src/|src/fs|related/fs/read_write.c
does an access_ok() check before the 'len < 0' check, in
do_readv_writev() so it now does an EFAULT instead of EVINAL for the -1
length argument.
> for (seg = 0; seg < nr_segs; seg++) {
...
> + if (unlikely(!access_ok(vrfy_dir(type), buf, len)))
> + goto Efault;
> if (len < 0) /* size_t not fitting an ssize_t .. */
> goto out;
> tot_len += len;
The attached path moves the access check to after the len check, to make
it behave a little more like it did before.
-- Dave
--- linux-2.6/fs/read_write.c.orig 2005-03-31 14:02:03.940333696 -0800
+++ linux-2.6/fs/read_write.c 2005-03-31 14:03:24.651063800 -0800
@@ -467,10 +467,10 @@ static ssize_t do_readv_writev(int type,
void __user *buf = iov[seg].iov_base;
ssize_t len = (ssize_t)iov[seg].iov_len;
- if (unlikely(!access_ok(vrfy_dir(type), buf, len)))
- goto Efault;
if (len < 0) /* size_t not fitting an ssize_t .. */
goto out;
+ if (unlikely(!access_ok(vrfy_dir(type), buf, len)))
+ goto Efault;
tot_len += len;
if ((ssize_t)tot_len < 0) /* maths overflow on the ssize_t */
goto out;
