lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADNZ+wTGfASDe23n9fy=+6C060ZjZ0cWMkbs=+wbLaeA46zPgQ@mail.gmail.com>
Date:	Wed, 19 Jun 2013 15:59:01 -0400
From:	Tristan Schmelcher <tschmelcher@...gle.com>
To:	Richard Weinberger <richard@....at>, jdike@...toit.com
Cc:	user-mode-linux-devel <user-mode-linux-devel@...ts.sourceforge.net>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] uml: Fix which_tmpdir failure when /dev/shm is a symlink,
 and in other edge cases

And of course I found a bug in it moments after sending. Please
ignore, v2 coming shortly.

On 19 June 2013 15:30, Tristan Schmelcher <tschmelcher@...gle.com> wrote:
> From: Tristan Schmelcher <tschmelcher@...gle.com>
>
> which_tmpdir did the wrong thing if /dev/shm was a symlink (e.g., to
> /run/shm), if there were multiple mounts on top of each other, if the
> mount(s) were obscured by a later mount, or if /dev/shm was a prefix of
> another mount point. This fixes these cases. Applies to 3.9.6.
>
> Signed-off-by: Tristan Schmelcher <tschmelcher@...gle.com>
> ---
>
> --- linux-3.9.6/arch/um/os-Linux/mem.c.orig     2013-06-19
> 14:50:14.000000000 -0400
> +++ linux-3.9.6/arch/um/os-Linux/mem.c  2013-06-19 14:53:07.000000000 -0400
> @@ -53,6 +53,25 @@ static void __init find_tempdir(void)
>  }
>   /*
> + * Remove bytes from the front of the buffer and refill it so that if
> there's a
> + * partial string that we care about, it will be completed, and we can
> recognize
> + * it.
> + */
> +static int pop(int fd, char *buf, size_t size, size_t npop)
> +{
> +       ssize_t n;
> +       size_t len = strlen(&buf[npop]);
> +
> +       memmove(buf, &buf[npop], len + 1);
> +       n = read(fd, &buf[len], size - len - 1);
> +       if (n < 0)
> +               return -errno;
> +
> +       buf[len + n] = '\0';
> +       return 1;
> +}
> +
> +/*
>   * This will return 1, with the first character in buf being the
>   * character following the next instance of c in the file.  This will
>   * read the file as needed.  If there's an error, -errno is returned;
> @@ -61,7 +80,6 @@ static void __init find_tempdir(void)
>  static int next(int fd, char *buf, size_t size, char c)
>  {
>         ssize_t n;
> -       size_t len;
>         char *ptr;
>         while ((ptr = strchr(buf, c)) == NULL) {
> @@ -74,20 +92,113 @@ static int next(int fd, char *buf, size_
>                 buf[n] = '\0';
>         }
>  -      ptr++;
> -       len = strlen(ptr);
> -       memmove(buf, ptr, len + 1);
> +       return pop(fd, buf, size, ptr - buf + 1);
> +}
>  -      /*
> -        * Refill the buffer so that if there's a partial string that we
> care
> -        * about, it will be completed, and we can recognize it.
> -        */
> -       n = read(fd, &buf[len], size - len - 1);
> -       if (n < 0)
> -               return -errno;
> +/*
> + * Decode an octal-escaped and space-terminated path of the form used by
> + * /proc/mounts. May be used to decode a path in-place. "out" must be at
> least
> + * as large as the input.
> + */
> +static int decode_path(const char *in, char *out, size_t *ndecoded,
> +                      size_t *decodedlen)
> +{
> +       const char *first_in = in;
> +       char *first_out = out;
> +       int c;
> +       int i;
> +       while (*in) {
> +               switch (*in) {
> +               case ' ':
> +                       *out = '\0';
> +                       *ndecoded = in - first_in + 1;
> +                       *decodedlen = out - first_out;
> +                       return 0;
>  -      buf[len + n] = '\0';
> -       return 1;
> +               case '\\':
> +                       in++;
> +                       c = 0;
> +                       for (i = 0; i < 3; i++) {
> +                               if (*in < '0' || *in > '7')
> +                                       return -EINVAL;
> +                               c = (c << 3) | (*in++ - '0');
> +                       }
> +                       *out++ = (char) c;
> +                       break;
> +
> +               default:
> +                       *out++ = *in++;
> +                       break;
> +               }
> +       }
> +
> +       return -EINVAL;
> +}
> +
> +static size_t octal_encoded_length(const char *s, const char *chars)
> +{
> +       size_t len = strlen(s);
> +       while ((s = strpbrk(s, chars)) != NULL) {
> +               len += 3;
> +               s++;
> +       }
> +
> +       return len;
> +}
> +
> +enum {
> +       OUTCOME_NOT_A_MOUNT_POINT,
> +       OUTCOME_TMPFS_MOUNT,
> +       OUTCOME_NON_TMPFS_MOUNT,
> +};
> +
> +/* Read a line of /proc/mounts data looking for a tmpfs mount at "path". */
> +static int read_mount(int fd, char *buf, size_t bufsize, const char *path,
> +                     int *outcome)
> +{
> +       int found;
> +       int match;
> +       size_t ndecoded;
> +       size_t decodedlen;
> +
> +       enum {
> +               MATCH_NONE,
> +               MATCH_EXACT,
> +               MATCH_PARENT,
> +       };
> +
> +       found = next(fd, buf, bufsize, ' ');
> +       if (found != 1)
> +               return found;
> +
> +       if (!decode_path(buf, buf, &ndecoded, &decodedlen)) {
> +               match = MATCH_NONE;
> +               if (!strcmp(buf, path))
> +                       match = MATCH_EXACT;
> +               else if (!strncmp(buf, path, decodedlen)
> +                        && (path[decodedlen] == '/' || !strcmp(buf, "/")))
> +                       match = MATCH_PARENT;
> +
> +               found = pop(fd, buf, bufsize, ndecoded);
> +               if (found != 1)
> +                       return found;
> +
> +               switch (match) {
> +               case MATCH_EXACT:
> +                       if (!strncmp(buf, "tmpfs", strlen("tmpfs")))
> +                               *outcome = OUTCOME_TMPFS_MOUNT;
> +                       else
> +                               *outcome = OUTCOME_NON_TMPFS_MOUNT;
> +                       break;
> +
> +               case MATCH_PARENT:
> +                       /* This mount obscures any previous ones. */
> +                       *outcome = OUTCOME_NOT_A_MOUNT_POINT;
> +                       break;
> +               }
> +       }
> +
> +       return next(fd, buf, bufsize, '\n');
>  }
>   /* which_tmpdir is called only during early boot */
> @@ -106,8 +217,12 @@ static int checked_tmpdir = 0;
>   */
>  static void which_tmpdir(void)
>  {
> -       int fd, found;
> -       char buf[128] = { '\0' };
> +       int fd;
> +       int found;
> +       int outcome;
> +       char *path;
> +       char *buf;
> +       size_t bufsize;
>         if (checked_tmpdir)
>                 return;
> @@ -116,49 +231,66 @@ static void which_tmpdir(void)
>         printf("Checking for tmpfs mount on /dev/shm...");
>  +      path = realpath("/dev/shm", NULL);
> +       if (!path) {
> +               printf("failed to check real path, errno = %d\n", errno);
> +               return;
> +       }
> +       printf("%s...", path);
> +
> +       /*
> +        * The buffer needs to be able to fit the full octal-escaped path, a
> +        * space, and a trailing null in order to successfully decode it.
> +        */
> +       bufsize = octal_encoded_length(path, " \t\n\\") + 2;
> +
> +       if (bufsize < 128)
> +               bufsize = 128;
> +
> +       buf = malloc(bufsize);
> +       if (!buf) {
> +               printf("malloc failed, errno = %d\n", errno);
> +               goto out;
> +       }
> +       buf[0] = '\0';
> +
>         fd = open("/proc/mounts", O_RDONLY);
>         if (fd < 0) {
>                 printf("failed to open /proc/mounts, errno = %d\n", errno);
> -               return;
> +               goto out1;
>         }
>  +      outcome = OUTCOME_NOT_A_MOUNT_POINT;
>         while (1) {
> -               found = next(fd, buf, ARRAY_SIZE(buf), ' ');
> -               if (found != 1)
> -                       break;
> -
> -               if (!strncmp(buf, "/dev/shm", strlen("/dev/shm")))
> -                       goto found;
> -
> -               found = next(fd, buf, ARRAY_SIZE(buf), '\n');
> +               found = read_mount(fd, buf, bufsize, path, &outcome);
>                 if (found != 1)
>                         break;
>         }
>  -err:
> -       if (found == 0)
> -               printf("nothing mounted on /dev/shm\n");
> -       else if (found < 0)
> +       if (found < 0) {
>                 printf("read returned errno %d\n", -found);
> +       } else {
> +               switch (outcome) {
> +               case OUTCOME_TMPFS_MOUNT:
> +                       printf("OK\n");
> +                       default_tmpdir = "/dev/shm";
> +                       break;
>  -out:
> -       close(fd);
> -
> -       return;
> -
> -found:
> -       found = next(fd, buf, ARRAY_SIZE(buf), ' ');
> -       if (found != 1)
> -               goto err;
> +               case OUTCOME_NON_TMPFS_MOUNT:
> +                       printf("not tmpfs\n");
> +                       break;
>  -      if (strncmp(buf, "tmpfs", strlen("tmpfs"))) {
> -               printf("not tmpfs\n");
> -               goto out;
> +               default:
> +                       printf("nothing mounted on /dev/shm\n");
> +                       break;
> +               }
>         }
>  -      printf("OK\n");
> -       default_tmpdir = "/dev/shm";
> -       goto out;
> +       close(fd);
> +out1:
> +       free(buf);
> +out:
> +       free(path);
>  }
>   static int __init make_tempfile(const char *template, char **out_tempname,
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ