Re: [PATCHv3] Fix range checks in kernfs_get_target_path

From: Tejun Heo
Date: Mon Aug 27 2018 - 10:03:23 EST

Next message: Kees Cook: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Previous message: Eugen Hristev: "[PATCH v7 RESEND 2/2] ARM: dts: at91: sama5d2: Add resistive touch device"
In reply to: Bernd Edlinger: "Re: [PATCHv3] Fix range checks in kernfs_get_target_path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Aug 26, 2018 at 10:55:24AM +0000, Bernd Edlinger wrote:
> Ping...
> Sorry, I had actually completely forgotten about this one.
>
> On 07/07/18 19:52, Bernd Edlinger wrote:
> > The terminating NUL byte is only there because the buffer is
> > allocated with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the
> > range-check is off-by-one, and PAGE_SIZE==PATH_MAX, the
> > returned string may not be zero-terminated if it is exactly
> > PATH_MAX characters long. Furthermore also the initial loop
> > may theoretically exceed PATH_MAX and cause a fault.
> >
> > Signed-off-by: Bernd Edlinger <bernd.edlinger@xxxxxxxxxx>

Acked-by: Tejun Heo <tj@xxxxxxxxxx>

Thanks.

--
tejun

Next message: Kees Cook: "Re: [PATCH] net: sched: Fix memory exposure from short TCA_U32_SEL"
Previous message: Eugen Hristev: "[PATCH v7 RESEND 2/2] ARM: dts: at91: sama5d2: Add resistive touch device"
In reply to: Bernd Edlinger: "Re: [PATCHv3] Fix range checks in kernfs_get_target_path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]