Re: [PATCH] x86: uaccess: fix regression in unsafe_get_user
From: Thomas Gleixner
Date: Mon Feb 18 2019 - 08:04:34 EST
On Sun, 17 Feb 2019, Al Viro wrote:
> On Sun, Feb 17, 2019 at 03:41:21AM +0000, Arthur Gautier wrote:
> Who says anything about changing the format of the file? At least
> one trivial way to handle that would be this:
>
> diff --git a/init/initramfs.c b/init/initramfs.c
> index 7cea802d00ef..edbddfb73106 100644
> --- a/init/initramfs.c
> +++ b/init/initramfs.c
> @@ -265,8 +265,12 @@ static int __init do_header(void)
> state = Collect;
> return 0;
> }
> - if (S_ISREG(mode) || !body_len)
> - read_into(name_buf, N_ALIGN(name_len), GotName);
> + if (S_ISREG(mode) || !body_len) {
> + collect = collected = name_buf;
> + remains = N_ALIGN(name_len);
> + next_state = GotName;
> + state = Collect;
> + }
> return 0;
> }
That does not help much because that is exactly at the end of the
decompressed image and the decompressor is done. So nothing would collect
the remainder anymore.
> Another would be to have the buffer passed to flush_buffer() (i.e.
> the callback of decompress_fn) allocated with 4 bytes of padding
> past the part where the unpacked piece of data is placed for the
> callback to find. As in,
>
> diff --git a/lib/decompress_inflate.c b/lib/decompress_inflate.c
> index 63b4b7eee138..ca3f7ecc9b35 100644
> --- a/lib/decompress_inflate.c
> +++ b/lib/decompress_inflate.c
> @@ -48,7 +48,7 @@ STATIC int INIT __gunzip(unsigned char *buf, long len,
> rc = -1;
> if (flush) {
> out_len = 0x8000; /* 32 K */
> - out_buf = malloc(out_len);
> + out_buf = malloc(out_len + 4);
+8 actually.
> } else {
> if (!out_len)
> out_len = ((size_t)~0) - (size_t)out_buf; /* no limit */
>
> for gunzip/decompress and similar ones for bzip2, etc. The contents
> layout doesn't have anything to do with that...
Right. That works nicely.
Thanks,
tglx