[RFC PATCH] core_pattern: fix long parameters was truncated by core_pattern handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Xiaotian Feng <dfeng@redhat.com>
To: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Xiaotian Feng <dfeng@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Oleg Nesterov <oleg@redhat.com>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	Roland McGrath <roland@redhat.com>
Subject: [RFC PATCH] core_pattern: fix long parameters was truncated by core_pattern handler
Date: Thu, 29 Jul 2010 20:42:44 +0800	[thread overview]
Message-ID: <1280407364-32466-1-git-send-email-dfeng@redhat.com> (raw)

We met a parameter truncated issue, consider following:
> echo "|/root/core_pattern_pipe_test %p /usr/libexec/blah-blah-blah \
%s %c %p %u %g %t 11 1234567890123456789012345678901234567890" > \
/proc/sys/kernel/core_pattern

This is okay because the strings is less than CORENAME_MAX_SIZE.
"cat /proc/sys/kernel/core_pattern" shows the whole string. but
after we run core_pattern_pipe_test in man page, we found last
parameter was truncated like below:
	argc[10]=<12345678901234567890123456789012345678>

The root cause is core_pattern allows % specifiers, which need to be
replaced during parse time, but the replace may expand the strings
to larger than CORENAME_MAX_SIZE.

This patch expands the size of parsing array, and makes the cursor
out_end shift when we replace % specifiers.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Roland McGrath <roland@redhat.com>
---
 fs/exec.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index e19de6a..e67e4b5 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1441,7 +1441,7 @@ EXPORT_SYMBOL(set_binfmt);
 
 /* format_corename will inspect the pattern parameter, and output a
  * name into corename, which must have space for at least
- * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator.
+ * CORENAME_MAX_SIZE * 3 bytes because of % specifiers.
  */
 static int format_corename(char *corename, long signr)
 {
@@ -1449,7 +1449,7 @@ static int format_corename(char *corename, long signr)
 	const char *pat_ptr = core_pattern;
 	int ispipe = (*pat_ptr == '|');
 	char *out_ptr = corename;
-	char *const out_end = corename + CORENAME_MAX_SIZE;
+	char *out_end = corename + CORENAME_MAX_SIZE;
 	int rc;
 	int pid_in_pattern = 0;
 
@@ -1478,6 +1478,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			/* uid */
 			case 'u':
@@ -1486,6 +1487,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			/* gid */
 			case 'g':
@@ -1494,6 +1496,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			/* signal that caused the coredump */
 			case 's':
@@ -1502,6 +1505,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			/* UNIX time of coredump */
 			case 't': {
@@ -1512,6 +1516,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			}
 			/* hostname */
@@ -1523,6 +1528,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			/* executable */
 			case 'e':
@@ -1531,6 +1537,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			/* core limit size */
 			case 'c':
@@ -1539,6 +1546,7 @@ static int format_corename(char *corename, long signr)
 				if (rc > out_end - out_ptr)
 					goto out;
 				out_ptr += rc;
+				out_end += rc - 2;
 				break;
 			default:
 				break;
@@ -1836,7 +1844,7 @@ static int umh_pipe_setup(struct subprocess_info *info)
 void do_coredump(long signr, int exit_code, struct pt_regs *regs)
 {
 	struct core_state core_state;
-	char corename[CORENAME_MAX_SIZE + 1];
+	char corename[CORENAME_MAX_SIZE * 3];
 	struct mm_struct *mm = current->mm;
 	struct linux_binfmt * binfmt;
 	const struct cred *old_cred;
-- 
1.7.2

next             reply	other threads:[~2010-07-29 12:43 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-29 12:42 Xiaotian Feng [this message]
2010-07-29 13:31 ` [RFC PATCH] core_pattern: fix long parameters was truncated by core_pattern handler Neil Horman
2010-08-02 12:23   ` [RFC PATCH V2] " Xiaotian Feng
2010-08-02 13:50     ` Oleg Nesterov
2010-08-03 10:59       ` Neil Horman
2010-08-20  9:22         ` [RFC PATCH v3] " Xiaotian Feng
2010-08-20  9:35           ` Xiaotian Feng
2010-08-20  9:35         ` Xiaotian Feng
2010-08-23 11:07           ` Neil Horman
2010-08-23 23:02             ` KOSAKI Motohiro
2010-08-23 21:18           ` Andrew Morton
2010-08-24  6:18             ` Xiaotian Feng
2010-08-24  6:28               ` Andrew Morton
2010-08-24  9:42             ` [PATCH v4] " Xiaotian Feng
2010-08-24 22:47               ` Andrew Morton
2010-08-25  1:58                 ` Xiaotian Feng
2010-08-25  2:17                 ` [PATCH v5] " Xiaotian Feng
2010-08-02 14:30     ` [RFC PATCH V2] " Denys Vlasenko
2010-08-02 14:30       ` Denys Vlasenko

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e19de6a dfblob:e67e4b5 )
 OR (
bs:"[RFC PATCH] core_pattern: fix long parameters was truncated by core_pattern handler" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1280407364-32466-1-git-send-email-dfeng@redhat.com \
    --to=dfeng@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=oleg@redhat.com \
    --cc=roland@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.