[PATCH] getname() buffer overflow

Hugh Dickins (hugh@veritas.com)
Fri, 2 Mar 2001 21:41:09 +0000 (GMT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alexander Viro: "[PATCH] Re: usbdevfs can be mounted multiple times"
Previous message: Grant Grundler: "Re: PATCH 2.4.0 parisc PCI support"
In reply to: Alan Cox: "Linux 2.4.2ac9"
Next in thread: Hugh Dickins: "[PATCH] alloc_tty_struct() wastage?"

The pathname slab cache size was "reduced" from PAGE_SIZE to
PATH_MAX + 1 during the 2.4.0-test series, and len similarly
adjusted in do_getname(). But its "are we near top of task space?"
test should have been adjusted too: could overflow if page size >4KB.
Patch below against 2.4.2-ac9, applies equally to 2.4.[012].

Hugh

--- 2.4.2-ac9/fs/namei.c Fri Dec 29 22:07:23 2000
+++ linux/fs/namei.c Fri Mar 2 18:23:42 2001
@@ -113,7 +113,7 @@
if ((unsigned long) filename >= TASK_SIZE) {
if (!segment_eq(get_fs(), KERNEL_DS))
return -EFAULT;
- } else if (TASK_SIZE - (unsigned long) filename < PAGE_SIZE)
+ } else if (TASK_SIZE - (unsigned long) filename < PATH_MAX + 1)
len = TASK_SIZE - (unsigned long) filename;

retval = strncpy_from_user((char *)page, filename, len);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexander Viro: "[PATCH] Re: usbdevfs can be mounted multiple times"
Previous message: Grant Grundler: "Re: PATCH 2.4.0 parisc PCI support"
In reply to: Alan Cox: "Linux 2.4.2ac9"
Next in thread: Hugh Dickins: "[PATCH] alloc_tty_struct() wastage?"