Re: namespaces: Out-of-bounds array access

From: Andrew Morton
Date: Wed Feb 01 2012 - 18:21:14 EST

Next message: Grant Likely: "Re: [PATCH] drivercore: Output common devicetree information in uevent"
Previous message: Linus Torvalds: "Re: [PATCH] sysfs: Optionally count subdirectories to support buggy applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 06 Jan 2012 01:18:47 +0100
Richard Weinberger <richard@xxxxxx> wrote:

> Hi!
>
> While searching a completely different bug I've found this problem:
> If CONFIG_NET_NS, CONFIG_UTS_NS and CONFIG_IPC_NS are disabled, ns_entries[]
> becomes empty and things like ns_entries[ARRAY_SIZE(ns_entries) - 1] will explode.
>

Presumably this will fix it:

--- a/fs/proc/namespaces.c~a
+++ a/fs/proc/namespaces.c
@@ -156,15 +156,15 @@ static struct dentry *proc_ns_dir_lookup
if (!ptrace_may_access(task, PTRACE_MODE_READ))
goto out;

- last = &ns_entries[ARRAY_SIZE(ns_entries) - 1];
- for (entry = ns_entries; entry <= last; entry++) {
+ last = &ns_entries[ARRAY_SIZE(ns_entries)];
+ for (entry = ns_entries; entry < last; entry++) {
if (strlen((*entry)->name) != len)
continue;
if (!memcmp(dentry->d_name.name, (*entry)->name, len))
break;
}
error = ERR_PTR(-ENOENT);
- if (entry > last)
+ if (entry == last)
goto out;

error = proc_ns_instantiate(dir, dentry, task, *entry);
_

But I wonder why we compile this file at all when ns_entries[] is
empty?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Grant Likely: "Re: [PATCH] drivercore: Output common devicetree information in uevent"
Previous message: Linus Torvalds: "Re: [PATCH] sysfs: Optionally count subdirectories to support buggy applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]