[PATCH] Zero last byte of mount option page.

From: James Morris
Date: Sat Jan 24 2004 - 10:18:44 EST

Next message: Wakko Warner: "Re: Illegal instruction with gl"
Previous message: Dr. David Alan Gilbert: "RFC: Representation of large hex values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Al,

Here's a patch which zeroes the last byte of the mount option data copied
from userspace during mount(2).

For filesystems which parse mount options as strings (the majority), lack
of a zero terminator could cause the page to be overrun. The source code
comments specify that the maximum size of the mount data is PAGE_SIZE-1,
so this patch will not affect any valid binary-formatted mount data.

Patch is against 2.6.2-rc1-mm2, and also applies to recent 2.4.

- James
--
James Morris
<jmorris@xxxxxxxxxx>

diff -urN -X dontdiff linux-2.6.2-rc1-mm2.o/fs/namespace.c linux-2.6.2-rc1-mm2.w/fs/namespace.c
--- linux-2.6.2-rc1-mm2.o/fs/namespace.c 2004-01-23 14:30:05.000000000 -0500
+++ linux-2.6.2-rc1-mm2.w/fs/namespace.c 2004-01-24 09:46:52.000919520 -0500
@@ -763,6 +763,9 @@
if (dev_name && !memchr(dev_name, 0, PAGE_SIZE))
return -EINVAL;

+ if (data_page)
+ ((char *)data_page)[PAGE_SIZE - 1] = 0;
+
/* Separate the per-mountpoint flags */
if (flags & MS_NOSUID)
mnt_flags |= MNT_NOSUID;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Wakko Warner: "Re: Illegal instruction with gl"
Previous message: Dr. David Alan Gilbert: "RFC: Representation of large hex values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]