Mysterious string truncation in 2.4.25 kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Glen Nakamura <glen@imodulo.com>
To: linux-kernel@vger.kernel.org
Cc: jmorris@redhat.com
Subject: Mysterious string truncation in 2.4.25 kernel
Date: Tue, 2 Mar 2004 23:53:53 +0000	[thread overview]
Message-ID: <20040302235353.GA4215@modulo.internal> (raw)

Aloha,

I'm running a patched 2.4.25 kernel and I noticed truncated strings in
various procfs files.  e.g.

# cat /proc/tty/drivers
se                   /dev/cua/%d     5  64-127 serial:callout
se                   /dev/tts/%d     4  64-127 se
pty_slave            /dev/pts/%d   136   0-255 pty:slave
pty_master           /dev/ptm      128   0-255 pty:master
pty_slave            /dev/pty/s%d    3   0-255 pty:slave
pty_master           /dev/pty/m%d    2   0-255 pty:master
/dev/vc/0            /dev/vc/0       4       0 system:vtmaster
/dev/ptmx            /dev/ptmx       5       2 system
/dev/console         /dev/console    5       1 system:console
/dev/tty             /dev/tty        5       0 system:/dev/tty
unknown              /dev/vc/%d      4    1-63 console

Notice that "serial" is output as "se" in the top two lines.
I was able to produce similar results on a vanilla 2.4.25 kernel by
simply changing the length of a few strings in fs/proc/proc_tty.c.
I believe the problem is caused by the following patch:

ChangeSet@1.1290.1.16  2004-01-31 21:16:34-02:00  jmorris@redhat.com

> [PATCH] Zero last byte of mount option page
> 
> Hi Al,
> 
> Here's a patch which zeroes the last byte of the mount option data copied
> from userspace during mount(2).
> 
> For filesystems which parse mount options as strings (the majority), lack
> of a zero terminator could cause the page to be overrun.  The source code
> comments specify that the maximum size of the mount data is PAGE_SIZE-1,
> so this patch will not affect any valid binary-formatted mount data.

--- 1.24/fs/namespace.c	Tue Mar  2 15:50:11 2004
+++ 1.25/fs/namespace.c	Tue Mar  2 15:50:11 2004
@@ -715,6 +715,9 @@
 	if (dev_name && !memchr(dev_name, 0, PAGE_SIZE))
 		return -EINVAL;
 
+	if (data_page)
+		((char *)data_page)[PAGE_SIZE - 1] = 0;
+
 	/* Separate the per-mountpoint flags */
 	if (flags & MS_NOSUID)
 		mnt_flags |= MNT_NOSUID;

Could someone please comment on the correctness of the above patch
especially regarding procfs?

- glen

next             reply	other threads:[~2004-03-02 23:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-02 23:53 Glen Nakamura [this message]
2004-03-03  4:03 ` Mysterious string truncation in 2.4.25 kernel James Morris
2004-03-03  5:35   ` Glen Nakamura
2004-03-03  5:43     ` Glen Nakamura
2004-03-03  5:49     ` James Morris
2004-03-03  9:41       ` Herbert Xu
2004-03-03 10:18       ` Marcelo Tosatti
2004-03-03 13:51         ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040302235353.GA4215@modulo.internal \
    --to=glen@imodulo.com \
    --cc=jmorris@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.