diff options
author | Vegard Nossum <vegard.nossum@gmail.com> | 2009-09-18 13:05:45 -0700 |
---|---|---|
committer | al <al@dizzy.pdmi.ras.ru> | 2009-09-24 08:40:15 -0400 |
commit | eca6f534e61919b28fb21aafbd1c2983deae75be (patch) | |
tree | b2c3f110a2defe6360004c39a074f3962ed0cc50 /fs/attr.c | |
parent | 6d729e44a55547c009d7a87ea66bff21a8e0afea (diff) | |
download | linux-eca6f534e61919b28fb21aafbd1c2983deae75be.tar.bz2 |
fs: fix overflow in sys_mount() for in-kernel calls
sys_mount() reads/copies a whole page for its "type" parameter. When
do_mount_root() passes a kernel address that points to an object which is
smaller than a whole page, copy_mount_options() will happily go past this
memory object, possibly dereferencing "wild" pointers that could be in any
state (hence the kmemcheck warning, which shows that parts of the next
page are not even allocated).
(The likelihood of something going wrong here is pretty low -- first of
all this only applies to kernel calls to sys_mount(), which are mostly
found in the boot code. Secondly, I guess if the page was not mapped,
exact_copy_from_user() _would_ in fact handle it correctly because of its
access_ok(), etc. checks.)
But it is much nicer to avoid the dubious reads altogether, by stopping as
soon as we find a NUL byte. Is there a good reason why we can't do
something like this, using the already existing strndup_from_user()?
[akpm@linux-foundation.org: make copy_mount_string() static]
[AV: fix compat mount breakage, which involves undoing akpm's change above]
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: al <al@dizzy.pdmi.ras.ru>
Diffstat (limited to 'fs/attr.c')
0 files changed, 0 insertions, 0 deletions