Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754284AbbLCVPV (ORCPT <rfc822;w@1wt.eu>);
	Thu, 3 Dec 2015 16:15:21 -0500
Received: from mout.kundenserver.de ([212.227.126.135]:60429 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753928AbbLCVPS (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 3 Dec 2015 16:15:18 -0500
From: Arnd Bergmann <arnd@arndb.de>
To: linux-arm-kernel@lists.infradead.org
Cc: Lee Jones <lee.jones@linaro.org>, Ohad Ben-Cohen <ohad@wizery.com>,
        "devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
        Florian Fainelli <f.fainelli@gmail.com>, kernel@stlinux.com,
        Nathan_Lynch@mentor.com,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Bjorn Andersson <bjorn@kryo.se>, ludovic.barre@st.com,
        Maxime Coquelin <maxime.coquelin@st.com>
Subject: Re: [RESEND v4 2/6] remoteproc: debugfs: Add ability to boot remote processor using debugfs
Date: Thu, 03 Dec 2015 22:12:59 +0100
Message-ID: <2473673.tSymyNlg3h@wuerfel>
User-Agent: KMail/4.11.5 (Linux/3.16.0-10-generic; KDE/4.11.5; x86_64; ; )
In-Reply-To: <20151203172830.GB26902@x1>
References: <1448370862-19120-1-git-send-email-lee.jones@linaro.org> <2600153.9u9Z7N2IT1@wuerfel> <20151203172830.GB26902@x1>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Provags-ID: V03:K0:hqkywEfZdzMNKH4bMVBPo0Szhh+M6IaLX6hNs0wRp91qyPvXHCL
 9KsjV5X9Es25ENKA3Y5DGLrNfoCu8IWy57Jq2sLOpjSTRRARjSLSF51JMNUepFqjJgudrZ7
 pQr5qpsXO5bl1MwEueD2H2QGjB3xOf6IKLrbUsL/CTH2+ctN3HhKwOplepCzM5eGmoAiZeI
 L6forMtBSBsj3D0jl2kwg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:EDrYxzrEmsI=:D+uxBBWn/+8VgdufadPDWb
 PpsvNnqQp1/qef6QOQ296G77l4QlhBTKUOe/3XH75ws6sr3EHy259U2VybITKHo6GPbnoqDx1
 sLGNINdgVHE8a83cROJOAD6hJB7TYFmfLHeCrsFiJaWFVXZmcitT5l4oj9cFw0CI8xaINCMFb
 hBjB1+L765cS5dex9QpfD4eJL5NNZBdK3opc4627y1CvDZfuPO+Bl7OUZ3tEzFCD8ijxYxUE0
 izkkDtDrNXdAKJzrJnUvoKBaEvrO9SBauMGeZrTp101/Q638idKmMNf9rYL7/D9ksJzDl0GjB
 gNDSqn/7cDMc698mRE0YnEqYzMuBTuWQ2T5FyDYOJUtuX9WQnDr+5SCoz0hRjBFa1qzDFO3GK
 mYJK0wGLRaERbAj6Wfqyg0tqzXx2iWeUW30uH2EoqJIU6cmbx80fgp8E8xXngckzNQoEgOpQ6
 lXmGlHzf9JZ/3NZoWxqM3TYQILJmKOYslj3Tjo4aDmFt0InJ9lK7eaRy2DHSzu2z2LJE2yhS5
 mJGJR0GodMp+nmcPGboBg7sEgFhAplW50IU7iG+IqlWp68JvqIMYu4j5rMqFNYx4gTyZrM4VC
 GvGW7ldvmzwsQhP3oQjD7sgIz7jWL/iS/Oe9ZyD/XaBnIGe39wqPk/+P9xLNFLMteBN/UFi05
 Q/HnSX96oopAxeLYhoM0aF+RT3xvXmXY3BQyb+btQEaAEcTB2IjxVq4SqCl0VQ5CN1Rqvai1i
 N83HoYaJ+HH4zmh1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 788
Lines: 21

On Thursday 03 December 2015 17:28:30 Lee Jones wrote:
> > 
> > Ah, interesting. I haven't tried myself, and just tried to read the
> > code. Maybe glibc already catches zero-length writes before it gets
> > into the kernel, or I just missed the part of the syscall that checks
> > for this.
> 
> Glibc is responsible indeed:
>   
>   http://osxr.org/glibc/source/io/write.c

Ok, so an attacker can force the stack overflow by calling
syscall(__NR_write, fd, p, 0) if that has any potential value,
but normal users won't hit this case.

	Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/