I have found this advisory on BUGTRAQ about d_path() :
http://online.securityfocus.com/archive/1/264117
I have made the following modifications in the d_path() of
Linux 2.2.20 : d_path() return an empty string when the path is
too large.
--- /usr/src/linux/fs/dcache.c.orig Fri Nov 2 17:39:08 2001
+++ /usr/src/linux/fs/dcache.c Wed Mar 27 23:30:32 2002
@@ -794,8 +794,11 @@
break;
namelen = dentry->d_name.len;
buflen -= namelen + 1;
- if (buflen < 0)
+ if (buflen < 0) {
+ /* FIXME : buffer overflow -> no return */
+ retval = buffer+buflen;
break;
+ }
end -= namelen;
memcpy(end, dentry->d_name.name, namelen);
*--end = '/';
---I don't know, if it really fixes well the problem, but i tested the proposed exploit on my patched kernel and getcwd() does return an error.
It is probable that you have already fixed this, in a better way.
Benoît Timbert - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/