>>>>> "Baruch" == Baruch Siach <[email protected]> writes:
Baruch> Another related problem that I've observed with echo goes as follows:
Baruch> ./strace-armv5l sh -c 'echo test > /dev/input/event0'
Baruch> shows:
Baruch> write(1, "test\n", 5) = 16
Baruch> write(1,
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
2147483647) = -1 EFAULT (Bad address)
That's a kernel bug. You are supposed to write 16byte long input_event
structures and not text strings, and evdec.c only checks if it can
successfully copy_from_user 16 bytes. Depending on malloc
implementation, the following 11 bytes after the text string are
probably also within the address space of the process.
The fix would be something like:
diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
index c8471a2..61fa24e 100644
--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -330,7 +330,7 @@ static ssize_t evdev_write(struct file *file, const char __u
goto out;
}
- while (retval < count) {
+ while ((retval + input_event_size()) <= count) {
if (input_event_from_user(buffer + retval, &event)) {
retval = -EFAULT;
I'll send a patch to the linux-input list.
--
Bye, Peter Korsgaard
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
