mpol_to_str revisited.

From: Dave Jones
Date: Mon Oct 08 2012 - 11:09:50 EST

Next message: Dave Jones: "Re: mpol_to_str revisited."
Previous message: Kirill A. Shutemov: "Re: [PATCH v2] gma500: medfield: drop bogus NULL check inmdfld_dsi_output_init()"
Next in thread: Dave Jones: "Re: mpol_to_str revisited."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Last month I sent in 80de7c3138ee9fd86a98696fd2cf7ad89b995d0a to remove
a user triggerable BUG in mempolicy.

Ben Hutchings pointed out to me that my change introduced a potential leak
of stack contents to userspace, because none of the callers check the return value.

This patch adds the missing return checking, and also clears the buffer beforehand.

Reported-by: Ben Hutchings <bhutchings@xxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx
Signed-off-by: Dave Jones <davej@xxxxxxxxxx>

---
unanswered question: why are the buffer sizes here different ? which is correct?

diff -durpN '--exclude-from=/home/davej/.exclude' src/git-trees/kernel/linux/fs/proc/task_mmu.c linux-dj/fs/proc/task_mmu.c
--- src/git-trees/kernel/linux/fs/proc/task_mmu.c 2012-05-31 22:32:46.778150675 -0400
+++ linux-dj/fs/proc/task_mmu.c 2012-10-04 19:31:41.269988984 -0400
@@ -1162,6 +1162,7 @@ static int show_numa_map(struct seq_file
struct mm_walk walk = {};
struct mempolicy *pol;
int n;
+ int ret;
char buffer[50];

if (!mm)
@@ -1178,7 +1179,11 @@ static int show_numa_map(struct seq_file
walk.mm = mm;

pol = get_vma_policy(proc_priv->task, vma, vma->vm_start);
- mpol_to_str(buffer, sizeof(buffer), pol, 0);
+ memset(buffer, 0, sizeof(buffer));
+ ret = mpol_to_str(buffer, sizeof(buffer), pol, 0);
+ if (ret < 0)
+ return 0;
+
mpol_cond_put(pol);

seq_printf(m, "%08lx %s", vma->vm_start, buffer);
diff -durpN '--exclude-from=/home/davej/.exclude' src/git-trees/kernel/linux/mm/shmem.c linux-dj/mm/shmem.c
--- src/git-trees/kernel/linux/mm/shmem.c 2012-10-02 15:49:51.977277944 -0400
+++ linux-dj/mm/shmem.c 2012-10-04 19:32:28.862949907 -0400
@@ -885,13 +885,15 @@ redirty:
static void shmem_show_mpol(struct seq_file *seq, struct mempolicy *mpol)
{
char buffer[64];
+ int ret;

if (!mpol || mpol->mode == MPOL_DEFAULT)
return; /* show nothing */

- mpol_to_str(buffer, sizeof(buffer), mpol, 1);
-
- seq_printf(seq, ",mpol=%s", buffer);
+ memset(buffer, 0, sizeof(buffer));
+ ret = mpol_to_str(buffer, sizeof(buffer), mpol, 1);
+ if (ret > 0)
+ seq_printf(seq, ",mpol=%s", buffer);
}

static struct mempolicy *shmem_get_sbmpol(struct shmem_sb_info *sbinfo)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Jones: "Re: mpol_to_str revisited."
Previous message: Kirill A. Shutemov: "Re: [PATCH v2] gma500: medfield: drop bogus NULL check inmdfld_dsi_output_init()"
Next in thread: Dave Jones: "Re: mpol_to_str revisited."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]