• V
    fs: fix overflow in sys_mount() for in-kernel calls · eca6f534
    Vegard Nossum 提交于
    sys_mount() reads/copies a whole page for its "type" parameter.  When
    do_mount_root() passes a kernel address that points to an object which is
    smaller than a whole page, copy_mount_options() will happily go past this
    memory object, possibly dereferencing "wild" pointers that could be in any
    state (hence the kmemcheck warning, which shows that parts of the next
    page are not even allocated).
    
    (The likelihood of something going wrong here is pretty low -- first of
    all this only applies to kernel calls to sys_mount(), which are mostly
    found in the boot code.  Secondly, I guess if the page was not mapped,
    exact_copy_from_user() _would_ in fact handle it correctly because of its
    access_ok(), etc.  checks.)
    
    But it is much nicer to avoid the dubious reads altogether, by stopping as
    soon as we find a NUL byte.  Is there a good reason why we can't do
    something like this, using the already existing strndup_from_user()?
    
    [akpm@linux-foundation.org: make copy_mount_string() static]
    [AV: fix compat mount breakage, which involves undoing akpm's change above]
    Reported-by: NIngo Molnar <mingo@elte.hu>
    Signed-off-by: NVegard Nossum <vegard.nossum@gmail.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Pekka Enberg <penberg@cs.helsinki.fi>
    Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Nal <al@dizzy.pdmi.ras.ru>
    eca6f534
compat.c 55.3 KB