Re: 2.6.6-rc3-mm2 (4KSTACK)

From: Dave Jones
Date: Fri May 07 2004 - 10:16:23 EST

Next message: Christoph Hellwig: "Re: [PATCH][SELINUX] 2/2 sock_create_lite()"
Previous message: Stas Sergeev: "Bug in IO bitmap handling? Probably exploitable (2.6.5)"
In reply to: Arjan van de Ven: "Re: 2.6.6-rc3-mm2 (4KSTACK)"
Next in thread: Steve Lord: "Re: 2.6.6-rc3-mm2 (4KSTACK)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 07, 2004 at 08:51:05AM +0200, Arjan van de Ven wrote:
>
> On Fri, May 07, 2004 at 01:37:54AM +0100, Paul Jakma wrote:
> > On Thu, 6 May 2004, Arjan van de Ven wrote:
> >
> > > Ok I don't want to start a flamewar but... Do we want to hold linux
> > > back until all binary only module vendors have caught up ??
> >
> > What about normal linux modules though? Eg, NFS (most likely):
> >
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121804
>
> NFSv4 has a > 1Kb stack user; Dave Jones has a fix pending for that...

Hmm, this one maybe?

Dave

--- linux-2.6.5/net/sunrpc/auth_gss/auth_gss.c~ 2004-05-05 13:34:31.000000000 +0100
+++ linux-2.6.5/net/sunrpc/auth_gss/auth_gss.c 2004-05-05 13:33:05.000000000 +0100
@@ -429,10 +429,8 @@ gss_pipe_upcall(struct file *filp, struc
static ssize_t
gss_pipe_downcall(struct file *filp, const char *src, size_t mlen)
{
- char buf[1024];
struct xdr_netobj obj = {
.len = mlen,
- .data = buf,
};
struct inode *inode = filp->f_dentry->d_inode;
struct rpc_inode *rpci = RPC_I(inode);
@@ -448,11 +446,19 @@ gss_pipe_downcall(struct file *filp, con
int err;
int gss_err;

- if (mlen > sizeof(buf))
+ obj.data = kmalloc(1024, GFP_KERNEL);
+ if (!obj.data)
+ return -ENOMEM;
+
+ if (mlen > 1024) {
+ kfree (obj.data);
return -ENOSPC;
- left = copy_from_user(buf, src, mlen);
- if (left)
+ }
+ left = copy_from_user(obj.data, src, mlen);
+ if (left) {
+ kfree (obj.data);
return -EFAULT;
+ }
clnt = rpci->private;
atomic_inc(&clnt->cl_users);
auth = clnt->cl_auth;
@@ -477,12 +483,14 @@ gss_pipe_downcall(struct file *filp, con
} else
spin_unlock(&gss_auth->lock);
rpc_release_client(clnt);
+ kfree (obj.data);
return mlen;
err:
if (ctx)
gss_destroy_ctx(ctx);
rpc_release_client(clnt);
dprintk("RPC: gss_pipe_downcall returning %d\n", err);
+ kfree (obj.data);
return err;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: [PATCH][SELINUX] 2/2 sock_create_lite()"
Previous message: Stas Sergeev: "Bug in IO bitmap handling? Probably exploitable (2.6.5)"
In reply to: Arjan van de Ven: "Re: 2.6.6-rc3-mm2 (4KSTACK)"
Next in thread: Steve Lord: "Re: 2.6.6-rc3-mm2 (4KSTACK)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]