From: Coywolf Qi Hunt <qiyong@fc-cn.com>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Yi Yang <yang.y.yi@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
gregkh@suse.de, Andrew Morton <akpm@osdl.org>
Subject: Re: [PATCH] Fix user data corrupted by old value return of sysctl
Date: Sat, 31 Dec 2005 17:25:01 +0800 [thread overview]
Message-ID: <20051231092501.GA4776@localhost.localdomain> (raw)
In-Reply-To: <Pine.LNX.4.64.0512300916220.3249@g5.osdl.org>
On Fri, Dec 30, 2005 at 09:25:35AM -0800, Linus Torvalds wrote:
>
>
> On Fri, 30 Dec 2005, Yi Yang wrote:
> >
> > If the user reads a sysctl entry which is of string type
> > by sysctl syscall, this call probably corrupts the user data
> > right after the old value buffer, the issue lies in sysctl_string
> > seting 0 to oldval[len], len is the available buffer size
> > specified by the user, obviously, this will write to the first
> > byte of the user memory place immediate after the old value buffer,
> > the correct way is that sysctl_string doesn't set 0, the user
> > should do it by self in the program.
>
> Hmm.. I think this patch is incomplete.
>
> We _should_ zero-pad the data, at least if the result fits in the buffer.
>
> So I think the correct fix is to just _copy_ the last zero if it fits in
> the buffer, rather than do the unconditional "add NUL at the end" thing.
> The simplest way to do that is to just make "l" be "strlen(str)+1", so
> that we count the ending NUL in the length (and then, if the buffer isn't
> big enough, we will truncate it).
>
> In other words, I would instead suggest a patch like the appended.
>
> But even that is questionable: one alternative is to always zero-pad (like
> we used to), but make sure that the buffer size is sufficient for it (ie
> instead of adding one to the length of the string, we'd subtract one from
> the buffer length and make sure that the '\0' fits..
>
> Comments?
Always do zero-pad please. I'd feel more comfortable with C strings (NULL
terminated). Don't you?
Poor code, also a small cleanup attached.
Signed-off-by: Coywolf Qi Hunt <qiyong@fc-cn.com>
---
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e5102ea..9960a26 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2203,7 +2203,7 @@ int sysctl_string(ctl_table *table, int
if (len) {
l = strlen(table->data)+1;
if (len > l) len = l;
- if (len >= table->maxlen)
+ if (len > table->maxlen)
len = table->maxlen;
if(copy_to_user(oldval, table->data, len))
return -EFAULT;
next prev parent reply other threads:[~2005-12-31 9:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-30 8:40 [PATCH] Fix user data corrupted by old value return of sysctl Yi Yang
2005-12-30 17:25 ` Linus Torvalds
2005-12-31 1:08 ` Yi Yang
2005-12-31 9:25 ` Coywolf Qi Hunt [this message]
2005-12-31 11:47 ` YOSHIFUJI Hideaki / 吉藤英明
2005-12-30 22:31 ` David Wagner
2005-12-31 9:13 ` Coywolf Qi Hunt
2005-12-31 9:26 ` Yi Yang
2005-12-31 9:44 ` Coywolf Qi Hunt
2006-01-04 1:41 ` Yi Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051231092501.GA4776@localhost.localdomain \
--to=qiyong@fc-cn.com \
--cc=akpm@osdl.org \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
--cc=yang.y.yi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.