dentry->d_inode = sbi->inodes[entry];
if ( dentry->d_inode )
Sadly it only checks that the filename is all 0 to 9 and has no leading 0s.
There is no check that entry is small enough to be a legimate index of
the sbi->inodes[]. Since the default is 256 and most people go with that
cat /dev/pts/666 is normal lethal. If you are unluckly dentry->d_inode contains
some really lethal screwy data and the dentry->d_inode->i_count++ screws
some important data structure somewhere.
I changed by kernel to say
if (entry<sbi->max_ptys) /* Check range of number */
dentry->d_inode = sbi->inodes[entry];
if ( dentry->d_inode )
instead so if entry is too big dentry stays NULL and the naughty memory
reference does not happen.
libpt-0.3, avialable by annoymous ftp from in the pub/word2x
directory contains a demo/bug test program and diff to apply this fix the
patches directory.
Assuming you have gcc <2.8 is might also work too., [2~ (glibc 2.1.x is a loser,
because it inists on gcc >2.8 or egcs >1.0.2 to avoid tickling bugs. This
bug is not fixed in 2.1.121 (or anything else, probably).
An altetnative patch says
if (entry>=sbi->max_ptys)
return 0;
before using index as an array element number.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at