Bug 14636 - invalid parameter for epoll_ctl will lead application coredump
Summary: invalid parameter for epoll_ctl will lead application coredump
Status: RESOLVED INVALID
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-18 09:46 UTC by williamchen
Modified: 2009-11-19 09:24 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.16.6
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description williamchen 2009-11-18 09:46:50 UTC 
when user use system call epoll_ctl to insertion/removal/change file descriptor into epoll, like this:
epoll_ctl(int epfd, int op, int fd=-1, struct epoll_event __user *event);
this operate will lead application crash, the following function will lead to this problem when fd is -1:

static inline struct file * fcheck_files(struct files_struct *files, unsigned int fd)
{
	struct file * file = NULL;
	struct fdtable *fdt = files_fdtable(files);

	if (fd < fdt->max_fds)
		file = rcu_dereference(fdt->fd[fd]); /*here fd is -1*/
	return file;
}
Comment 1 Alexey Dobriyan 2009-11-18 13:26:43 UTC 
you have an oops, or this is an observation?
max_fds and fd are unsigned int
Comment 2 williamchen 2009-11-19 09:20:03 UTC 
oh, it's my fault. i have omitted max_fds and fd are unsigned int
Comment 3 williamchen 2009-11-19 09:24:56 UTC 
but this happend once in 64-bit operating system and i checked the fd to avoid my application crashed
Note You need to log in before you can comment on or make changes to this bug.