[PATCH] sys_hpux: fix strlen_user() race
Userspace can alter the string after the kernel has run strlen_user(). Also: the strlen_user() return value includes the \0, so fix that. Also: handle EFAULT from strlen_user(). It's unlikely anyone is using this code. Very, very unlikely. If I remember correctly, CONFIG_HPUX turns this code on, but one would actually need CONFIG_BINFMT_SOM to load a binary that could cause a problem, and BINFMT_SOM has had an #error in it for quite some time. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Kyle McMartin
Linus Torvalds
parent
b5173119ff
commit
1fcbf053e5
1 changed files with 7 additions and 3 deletions
|
|
@ -468,19 +468,23 @@ int hpux_sysfs(int opcode, unsigned long arg1, unsigned long arg2)
|
|||
if ( opcode == 1 ) { /* GETFSIND */
|
||||
len = strlen_user((char *)arg1);
|
||||
printk(KERN_DEBUG "len of arg1 = %d\n", len);
|
||||
|
||||
fsname = (char *) kmalloc(len+1, GFP_KERNEL);
|
||||
if (len == 0)
|
||||
return 0;
|
||||
fsname = (char *) kmalloc(len, GFP_KERNEL);
|
||||
if ( !fsname ) {
|
||||
printk(KERN_DEBUG "failed to kmalloc fsname\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ( copy_from_user(fsname, (char *)arg1, len+1) ) {
|
||||
if ( copy_from_user(fsname, (char *)arg1, len) ) {
|
||||
printk(KERN_DEBUG "failed to copy_from_user fsname\n");
|
||||
kfree(fsname);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* String could be altered by userspace after strlen_user() */
|
||||
fsname[len] = '\0';
|
||||
|
||||
printk(KERN_DEBUG "that is '%s' as (char *)\n", fsname);
|
||||
if ( !strcmp(fsname, "hfs") ) {
|
||||
fstype = 0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue