Hi Marc, thanks for the followup.
* Marc Haber <mh+debian-b...@zugschlus.de> [210404 22:03]: > On Sun, Apr 04, 2021 at 10:33:46PM +0200, Chris Hofstaedtler wrote: > > * Bernhard Übelacker <bernha...@mailbox.org> [210404 20:32]: > > > Dear Maintainer, > > > tried to locate the exact smashing. > > > It looks like the ioctl(EXT2_IOC_GETFLAGS) takes an int* parameter, > > > but writes 8 bytes instead of just sizeof(int) to the given address. > > > > Some more questions: > > 1) which kernel version is this? > > 2) /dev/dri is on tmpfs? > > 1 [2/4021]mh@testsid85:~ $ sudo lsattr /dev/dri/card0 > [sudo] password for mh: > *** stack smashing detected ***: terminated > Aborted > 134 [3/4022]mh@testsid85:~ $ uname -a > Linux testsid85 5.10.0-5-amd64 #1 SMP Debian 5.10.26-1 (2021-03-27) x86_64 > GNU/Linux > [4/4023]mh@testsid85:~ $ stat -f /dev/dri > File: "/dev/dri" > ID: 0 Namelen: 255 Type: tmpfs > Block size: 4096 Fundamental block size: 4096 > Blocks: Total: 40336 Free: 40336 Available: 40336 > Inodes: Total: 40336 Free: 39600 > [5/4024]mh@testsid85:~ $ > > Other /dev device nods can be lsattr'd without error. I was wondering about changes since buster, and indeed: Upstream commit 40ea4628 [1] removes the lstat call which shielded the ioctl call later on. On buster, lsattr /dev/dri/card0 just gives: lsattr: Operation not supported While reading flags on /dev/dri/card0 (Even with Linux 5.10.0-0.bpo.3-amd64.) Now, for the actual issue: AFAICT, for /dev/dri/card0 the ioctl ends up in the kernel's drm_ioctl [2], which will blindly call copy_to_user assuming the output size is the same as the input size (8 bytes). This is wrong for FS_IOC_GETFLAGS, at least for normal files. Maybe the best thing is to put the lstat check back in? Or maybe lsattr should expect that the kernel might actually use the 8 bytes? I have checked various fs ioctl functions, and they all seem to return 4 bytes, except for orangefs [3] ... Chris [1] https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/lib/e2p/fgetflags.c?id=40ea4628ba1b55f8eba311f12399d039698dbeeb [2] https://elixir.bootlin.com/linux/v5.10.27/source/drivers/gpu/drm/drm_ioctl.c#L888 [3] https://elixir.bootlin.com/linux/v5.10.27/source/fs/orangefs/file.c#L378
