| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Apr 2013 13:03:06 -0700 From: Andrew Morton <akpm@...ux-foundation.org> To: David Rientjes <rientjes@...gle.com> Cc: John Stultz <johnstul@...ibm.com>, linux-kernel@...r.kernel.org, John Stultz <john.stultz@...aro.org> Subject: Re: [patch] fs, proc: truncate /proc/pid/comm writes to first TASK_COMM_LEN bytes > cc: John Stultz <johnstul@...ibm.com> I don't know if that address still works. On Mon, 8 Apr 2013 18:55:13 -0700 (PDT) David Rientjes <rientjes@...gle.com> wrote: > Currently, a write to /proc/pid/write will return the number of bytes > successfully written. If the actual string is greater than this, the > remainder of the string will normally be written. The paragraph is a bit of a head-scratcher. I did some subediting. > This results in things such as > > $ echo -n "abcdefghijklmnopqrs" > /proc/self/comm > > to result in > > $ cat /proc/$$/comm > pqrs hah, that's pretty sad. > since the final four bytes were written with a second write() since > TASK_COMM_LEN == 16. This is obviously an undesired result and not > equivalent to prctl(PR_SET_NAME). The implementation should not need to > know the definition of TASK_COMM_LEN. > > This patch truncates the string to the first TASK_COMM_LEN bytes and > returns the bytes written as the length of the string written so the > second write() is suppressed. > > $ cat /proc/$$/comm > abcdefghijklmno From: David Rientjes <rientjes@...gle.com> Subject: fs, proc: truncate /proc/pid/comm writes to first TASK_COMM_LEN bytes Currently, a write to a procfs file will return the number of bytes successfully written. If the actual string is longer than this, the remainder of the string will not be be written and userspace will complete the operation by issuing additional write()s. Hence $ echo -n "abcdefghijklmnopqrs" > /proc/self/comm results in $ cat /proc/$$/comm pqrs since the final four bytes were written with a second write() since TASK_COMM_LEN == 16. This is obviously an undesired result and not equivalent to prctl(PR_SET_NAME). The implementation should not need to know the definition of TASK_COMM_LEN. This patch truncates the string to the first TASK_COMM_LEN bytes and returns the bytes written as the length of the string written so the second write() is suppressed. $ cat /proc/$$/comm abcdefghijklmno Signed-off-by: David Rientjes <rientjes@...gle.com> Cc: John Stultz <john.stultz@...aro.org> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org> --- fs/proc/base.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff -puN fs/proc/base.c~fs-proc-truncate-proc-pid-comm-writes-to-first-task_comm_len-bytes fs/proc/base.c --- a/fs/proc/base.c~fs-proc-truncate-proc-pid-comm-writes-to-first-task_comm_len-bytes +++ a/fs/proc/base.c @@ -1347,11 +1347,10 @@ static ssize_t comm_write(struct file *f struct inode *inode = file_inode(file); struct task_struct *p; char buffer[TASK_COMM_LEN]; + const size_t maxlen = sizeof(buffer) - 1; memset(buffer, 0, sizeof(buffer)); - if (count > sizeof(buffer) - 1) - count = sizeof(buffer) - 1; - if (copy_from_user(buffer, buf, count)) + if (copy_from_user(buffer, buf, count > maxlen ? maxlen : count)) return -EFAULT; p = get_proc_task(inode); _ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists