lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <E1Olirt-0006aI-DV@pomaz-ex.szeredi.hu>
Date:	Wed, 18 Aug 2010 15:39:49 +0200
From:	Miklos Szeredi <miklos@...redi.hu>
To:	viro@...IV.linux.org.uk
CC:	jkmalinen@...il.com, torvalds@...ux-foundation.org,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] uml: fix hostfs lookup

Oops, sorry.  Off-by-one bug crept in there.

Updated patch follows.

Thanks,
Miklos

----
Subject: uml: fix hostfs lookup

From: Miklos Szeredi <mszeredi@...e.cz>

commit e9193059 (hostfs: fix races in dentry_name() and inode_name())
broke hostfs lookup.

The cause of the bug was that strncpy() zero fills the whole buffer.

Replace strncpy() with memcpy() and replace open coded memory move
with memmove().

Reported-by: Jouni Malinen <jkmalinen@...il.com>
Signed-off-by: Miklos Szeredi <mszeredi@...e.cz>
---
 fs/hostfs/hostfs_kern.c |   14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

Index: linux-2.6/fs/hostfs/hostfs_kern.c
===================================================================
--- linux-2.6.orig/fs/hostfs/hostfs_kern.c	2010-08-18 15:09:07.000000000 +0200
+++ linux-2.6/fs/hostfs/hostfs_kern.c	2010-08-18 15:36:34.000000000 +0200
@@ -100,20 +100,12 @@ static char *__dentry_name(struct dentry
 
 	root = dentry->d_sb->s_fs_info;
 	len = strlen(root);
-	if (IS_ERR(p)) {
+	if (IS_ERR(p) || len > p - name) {
 		__putname(name);
 		return NULL;
 	}
-	strncpy(name, root, PATH_MAX);
-	if (len > p - name) {
-		__putname(name);
-		return NULL;
-	}
-	if (p > name + len) {
-		char *s = name + len;
-		while ((*s++ = *p++) != '\0')
-			;
-	}
+	memcpy(name, root, len);
+	memmove(name + len, p, PATH_MAX - (p - name));
 	return name;
 }
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ