lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed,  5 Feb 2014 18:34:07 +0100
From:	Denys Vlasenko <dvlasenk@...hat.com>
To:	linux-kernel@...r.kernel.org
Cc:	Denys Vlasenko <dvlasenk@...hat.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Oleg Nesterov <oleg@...hat.com>,
	Jan Kratochvil <jan.kratochvil@...hat.com>,
	Amerigo Wang <amwang@...hat.com>,
	"Jonathan M. Foote" <jmfoote@...t.org>,
	Roland McGrath <roland@...k.frob.com>,
	Pedro Alves <palves@...hat.com>,
	Fengguang Wu <fengguang.wu@...el.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>
Subject: [PATCH] fs: fix d_path() with zero-length input buffer

In prepend_name(), *buflen < dlen + 1 comparison is buggy
because dlen has unsigned data type, and we can reach this location
with *buflen == -1.

The fix casts dlen to int.

Bug reports:
https://bugzilla.redhat.com/show_bug.cgi?id=1050964
https://bugzilla.redhat.com/show_bug.cgi?id=1060384

Signed-off-by: Denys Vlasenko <dvlasenk@...hat.com>
Cc: Al Viro <viro@...iv.linux.org.uk>
Cc: Oleg Nesterov <oleg@...hat.com>
Cc: Jan Kratochvil <jan.kratochvil@...hat.com>
Cc: Amerigo Wang <amwang@...hat.com>
Cc: "Jonathan M. Foote" <jmfoote@...t.org>
Cc: Roland McGrath <roland@...k.frob.com>
Cc: Pedro Alves <palves@...hat.com>
Cc: Fengguang Wu <fengguang.wu@...el.com>
Cc: Stephen Rothwell <sfr@...b.auug.org.au>
---
 fs/dcache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 265e0ce..40ded0c 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2833,7 +2833,7 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
 	u32 dlen = ACCESS_ONCE(name->len);
 	char *p;
 
-	if (*buflen < dlen + 1)
+	if (*buflen < (int)dlen + 1)
 		return -ENAMETOOLONG;
 	*buflen -= dlen + 1;
 	p = *buffer -= dlen + 1;
-- 
1.8.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ