| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 Sep 2006 19:13:58 -0700 From: Edward Falk <efalk@...gle.com> To: linux-kernel@...r.kernel.org Subject: Proper /proc/pid/cmdline behavior when command line is corrupt? Hi all; there's a few lines of code in fs/proc/base.c:proc_pid_cmdline() that I'm unable to make sense of. There are a few lines that check the returned buffer to see if it's properly nul-terminated. If not, the code assumes the user has overwritten and corrupted the command line buffer. The next step is to search for the first embedded nul, and truncate the buffer at that point. If no embedded nul is found, enough data is copied from the user's environment to fill the buffer. Another search for an embedded nul is then made. Does anybody know what on earth this code is trying to accomplish? Is this the intended behavior? The best I can guess is that the user is assumed to have overwritten the end of the command line buffer and that the environment buffer is assumed to immediately follow the command line buffer. I'm currently working on a patch that removes the one page limit on the returned command line buffer but I'm not convinced I should retain this behavior. Is it possible that there's any code out there that depends on this behavior. It would help if I knew why it was done this way. TIA, -ed falk, efalk@...gle.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists