b32a09db4f
match_strcpy() is a somewhat creepy function: the caller needs to make sure that the destination buffer is big enough, and when he screws up or forgets, match_strcpy() happily overruns the buffer. There's exactly one customer: v9fs_parse_options(). I believe it currently can't overflow its buffer, but that's not exactly obvious. The source string is a substing of the mount options. The kernel silently truncates those to PAGE_SIZE bytes, including the terminating zero. See compat_sys_mount() and do_mount(). The destination buffer is obtained from __getname(), which allocates from name_cachep, which is initialized by vfs_caches_init() for size PATH_MAX. We're safe as long as PATH_MAX <= PAGE_SIZE. PATH_MAX is 4096. As far as I know, the smallest PAGE_SIZE is also 4096. Here's a patch that makes the code a bit more obviously correct. It doesn't depend on PATH_MAX <= PAGE_SIZE. Signed-off-by: Markus Armbruster <armbru@redhat.com> Cc: Latchesar Ionkov <lucho@ionkov.net> Cc: Jim Meyering <meyering@redhat.com> Cc: "Randy.Dunlap" <rdunlap@xenotime.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> |
||
---|---|---|
.. | ||
acpi | ||
asm-alpha | ||
asm-arm | ||
asm-avr32 | ||
asm-blackfin | ||
asm-cris | ||
asm-frv | ||
asm-generic | ||
asm-h8300 | ||
asm-ia64 | ||
asm-m32r | ||
asm-m68k | ||
asm-m68knommu | ||
asm-mips | ||
asm-mn10300 | ||
asm-parisc | ||
asm-powerpc | ||
asm-ppc | ||
asm-s390 | ||
asm-sh | ||
asm-sparc | ||
asm-sparc64 | ||
asm-um | ||
asm-v850 | ||
asm-x86 | ||
asm-xtensa | ||
crypto | ||
keys | ||
linux | ||
math-emu | ||
media | ||
mtd | ||
net | ||
pcmcia | ||
rdma | ||
rxrpc | ||
scsi | ||
sound | ||
video | ||
xen | ||
Kbuild |