LinuxLists.cc - [PATCH] alpha: PTR_ERR overwrites -EINVAL in syscall osf

2010-02-03 15:43:14

Subject: [PATCH] alpha: PTR_ERR overwrites -EINVAL in syscall osf_mount

The initial -EINVAL value is overwritten by `retval = PTR_ERR(name)'.
If this isn't an error pointer and typenr is not 1, 6 or 9, then
this retval, a pointer cast to a long, is returned.

Signed-off-by: Roel Kluin <[email protected]>
---
Was this intended? Not sure whether this can occur, found by code
analysis.

diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
index 62619f2..53c213f 100644
--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -361,7 +361,7 @@ osf_procfs_mount(char *dirname, struct procfs_args __user *args, int flags)
SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, char __user *, path,
int, flag, void __user *, data)
{
- int retval = -EINVAL;
+ int retval;
char *name;

name = getname(path);
@@ -379,6 +379,7 @@ SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, char __user *, path,
retval = osf_procfs_mount(name, data, flag);
break;
default:
+ retval = -EINVAL;
printk("osf_mount(%ld, %x)\n", typenr, flag);
}
putname(name);

2010-02-03 15:52:59

by Matt Turner

[permalink] [raw]

Subject: Re: [PATCH] alpha: PTR_ERR overwrites -EINVAL in syscall osf_mount

On Wed, Feb 3, 2010 at 10:49 AM, Roel Kluin <[email protected]> wrote:
> The initial -EINVAL value is overwritten by `retval = PTR_ERR(name)'.
> If this isn't an error pointer and typenr is not 1, 6 or 9, then
> this retval, a pointer cast to a long, is returned.
>
> Signed-off-by: Roel Kluin <[email protected]>
> ---
> Was this intended? Not sure whether this can occur, found by code
> analysis.
>
> diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
> index 62619f2..53c213f 100644
> --- a/arch/alpha/kernel/osf_sys.c
> +++ b/arch/alpha/kernel/osf_sys.c
> @@ -361,7 +361,7 @@ osf_procfs_mount(char *dirname, struct procfs_args __user *args, int flags)
> ?SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, char __user *, path,
> ? ? ? ? ? ? ? ?int, flag, void __user *, data)
> ?{
> - ? ? ? int retval = -EINVAL;
> + ? ? ? int retval;
> ? ? ? ?char *name;
>
> ? ? ? ?name = getname(path);
> @@ -379,6 +379,7 @@ SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, char __user *, path,
> ? ? ? ? ? ? ? ?retval = osf_procfs_mount(name, data, flag);
> ? ? ? ? ? ? ? ?break;
> ? ? ? ?default:
> + ? ? ? ? ? ? ? retval = -EINVAL;
> ? ? ? ? ? ? ? ?printk("osf_mount(%ld, %x)\n", typenr, flag);
> ? ? ? ?}
> ? ? ? ?putname(name);
>

Looks like a bug to me as well. Can anyone else confirm?

Matt Turner

2010-02-03 17:26:58

by Richard Henderson

[permalink] [raw]

Subject: Re: [PATCH] alpha: PTR_ERR overwrites -EINVAL in syscall osf_mount

On 02/03/2010 07:49 AM, Roel Kluin wrote:
> The initial -EINVAL value is overwritten by `retval = PTR_ERR(name)'.
> If this isn't an error pointer and typenr is not 1, 6 or 9, then
> this retval, a pointer cast to a long, is returned.
>
> Signed-off-by: Roel Kluin<[email protected]>

Acked-by: Richard Henderson <[email protected]>

r~