Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261793AbUCBXyR (ORCPT ); Tue, 2 Mar 2004 18:54:17 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261794AbUCBXyQ (ORCPT ); Tue, 2 Mar 2004 18:54:16 -0500 Received: from adsl-186.flex.com ([206.126.1.185]:15488 "EHLO mail.imodulo.com") by vger.kernel.org with ESMTP id S261793AbUCBXx4 (ORCPT ); Tue, 2 Mar 2004 18:53:56 -0500 Date: Tue, 2 Mar 2004 23:53:53 +0000 From: Glen Nakamura To: linux-kernel@vger.kernel.org Cc: jmorris@redhat.com Subject: Mysterious string truncation in 2.4.25 kernel Message-ID: <20040302235353.GA4215@modulo.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2264 Lines: 59 Aloha, I'm running a patched 2.4.25 kernel and I noticed truncated strings in various procfs files. e.g. # cat /proc/tty/drivers se /dev/cua/%d 5 64-127 serial:callout se /dev/tts/%d 4 64-127 se pty_slave /dev/pts/%d 136 0-255 pty:slave pty_master /dev/ptm 128 0-255 pty:master pty_slave /dev/pty/s%d 3 0-255 pty:slave pty_master /dev/pty/m%d 2 0-255 pty:master /dev/vc/0 /dev/vc/0 4 0 system:vtmaster /dev/ptmx /dev/ptmx 5 2 system /dev/console /dev/console 5 1 system:console /dev/tty /dev/tty 5 0 system:/dev/tty unknown /dev/vc/%d 4 1-63 console Notice that "serial" is output as "se" in the top two lines. I was able to produce similar results on a vanilla 2.4.25 kernel by simply changing the length of a few strings in fs/proc/proc_tty.c. I believe the problem is caused by the following patch: ChangeSet@1.1290.1.16 2004-01-31 21:16:34-02:00 jmorris@redhat.com > [PATCH] Zero last byte of mount option page > > Hi Al, > > Here's a patch which zeroes the last byte of the mount option data copied > from userspace during mount(2). > > For filesystems which parse mount options as strings (the majority), lack > of a zero terminator could cause the page to be overrun. The source code > comments specify that the maximum size of the mount data is PAGE_SIZE-1, > so this patch will not affect any valid binary-formatted mount data. --- 1.24/fs/namespace.c Tue Mar 2 15:50:11 2004 +++ 1.25/fs/namespace.c Tue Mar 2 15:50:11 2004 @@ -715,6 +715,9 @@ if (dev_name && !memchr(dev_name, 0, PAGE_SIZE)) return -EINVAL; + if (data_page) + ((char *)data_page)[PAGE_SIZE - 1] = 0; + /* Separate the per-mountpoint flags */ if (flags & MS_NOSUID) mnt_flags |= MNT_NOSUID; Could someone please comment on the correctness of the above patch especially regarding procfs? - glen - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/