forked from Minki/linux
b32a09db4f
match_strcpy() is a somewhat creepy function: the caller needs to make sure that the destination buffer is big enough, and when he screws up or forgets, match_strcpy() happily overruns the buffer. There's exactly one customer: v9fs_parse_options(). I believe it currently can't overflow its buffer, but that's not exactly obvious. The source string is a substing of the mount options. The kernel silently truncates those to PAGE_SIZE bytes, including the terminating zero. See compat_sys_mount() and do_mount(). The destination buffer is obtained from __getname(), which allocates from name_cachep, which is initialized by vfs_caches_init() for size PATH_MAX. We're safe as long as PATH_MAX <= PAGE_SIZE. PATH_MAX is 4096. As far as I know, the smallest PAGE_SIZE is also 4096. Here's a patch that makes the code a bit more obviously correct. It doesn't depend on PATH_MAX <= PAGE_SIZE. Signed-off-by: Markus Armbruster <armbru@redhat.com> Cc: Latchesar Ionkov <lucho@ionkov.net> Cc: Jim Meyering <meyering@redhat.com> Cc: "Randy.Dunlap" <rdunlap@xenotime.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> |
||
|---|---|---|
| .. | ||
| acpi | ||
| asm-alpha | ||
| asm-arm | ||
| asm-avr32 | ||
| asm-blackfin | ||
| asm-cris | ||
| asm-frv | ||
| asm-generic | ||
| asm-h8300 | ||
| asm-ia64 | ||
| asm-m32r | ||
| asm-m68k | ||
| asm-m68knommu | ||
| asm-mips | ||
| asm-mn10300 | ||
| asm-parisc | ||
| asm-powerpc | ||
| asm-ppc | ||
| asm-s390 | ||
| asm-sh | ||
| asm-sparc | ||
| asm-sparc64 | ||
| asm-um | ||
| asm-v850 | ||
| asm-x86 | ||
| asm-xtensa | ||
| crypto | ||
| keys | ||
| linux | ||
| math-emu | ||
| media | ||
| mtd | ||
| net | ||
| pcmcia | ||
| rdma | ||
| rxrpc | ||
| scsi | ||
| sound | ||
| video | ||
| xen | ||
| Kbuild | ||