From: Miklos Szeredi <[email protected]>
commit e9193059 (hostfs: fix races in dentry_name() and inode_name())
broke hostfs lookup.
The cause of the bug is that strncpy() zero fills the whole buffer.
Replace strncpy() with memcpy() and replace open coded memory move
with memmove().
Reported-by: Jouni Malinen <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
---
fs/hostfs/hostfs_kern.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
Index: linux-2.6/fs/hostfs/hostfs_kern.c
===================================================================
--- linux-2.6.orig/fs/hostfs/hostfs_kern.c 2010-08-18 14:53:22.000000000 +0200
+++ linux-2.6/fs/hostfs/hostfs_kern.c 2010-08-18 15:04:25.000000000 +0200
@@ -100,20 +100,12 @@ static char *__dentry_name(struct dentry
root = dentry->d_sb->s_fs_info;
len = strlen(root);
- if (IS_ERR(p)) {
+ if (IS_ERR(p) || len > p - name) {
__putname(name);
return NULL;
}
- strncpy(name, root, PATH_MAX);
- if (len > p - name) {
- __putname(name);
- return NULL;
- }
- if (p > name + len) {
- char *s = name + len;
- while ((*s++ = *p++) != '\0')
- ;
- }
+ memcpy(name, root, len);
+ memmove(name + len, p, PATH_MAX - (p - name) + 1);
return name;
}
Oops, sorry. Off-by-one bug crept in there.
Updated patch follows.
Thanks,
Miklos
----
Subject: uml: fix hostfs lookup
From: Miklos Szeredi <[email protected]>
commit e9193059 (hostfs: fix races in dentry_name() and inode_name())
broke hostfs lookup.
The cause of the bug was that strncpy() zero fills the whole buffer.
Replace strncpy() with memcpy() and replace open coded memory move
with memmove().
Reported-by: Jouni Malinen <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
---
fs/hostfs/hostfs_kern.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
Index: linux-2.6/fs/hostfs/hostfs_kern.c
===================================================================
--- linux-2.6.orig/fs/hostfs/hostfs_kern.c 2010-08-18 15:09:07.000000000 +0200
+++ linux-2.6/fs/hostfs/hostfs_kern.c 2010-08-18 15:36:34.000000000 +0200
@@ -100,20 +100,12 @@ static char *__dentry_name(struct dentry
root = dentry->d_sb->s_fs_info;
len = strlen(root);
- if (IS_ERR(p)) {
+ if (IS_ERR(p) || len > p - name) {
__putname(name);
return NULL;
}
- strncpy(name, root, PATH_MAX);
- if (len > p - name) {
- __putname(name);
- return NULL;
- }
- if (p > name + len) {
- char *s = name + len;
- while ((*s++ = *p++) != '\0')
- ;
- }
+ memcpy(name, root, len);
+ memmove(name + len, p, PATH_MAX - (p - name));
return name;
}
On Wed, Aug 18, 2010 at 03:39:49PM +0200, Miklos Szeredi wrote:
> Oops, sorry. Off-by-one bug crept in there.
It's already fixed in the queue (see #untested in vfs-2.6)
On Wed, 18 Aug 2010, Al Viro wrote:
> On Wed, Aug 18, 2010 at 03:39:49PM +0200, Miklos Szeredi wrote:
> > Oops, sorry. Off-by-one bug crept in there.
>
> It's already fixed in the queue (see #untested in vfs-2.6)
Your fix is still wrong for the pathological case of len == p - name,
that's why I opted not to use strlcpy.
Thanks,
Miklos