* [PATCH 0/1] cgroups: strcpy destination string overflow
@ 2010-10-05 8:38 Evgeny Kuznetsov
2010-10-05 8:38 ` [PATCH 1/1] " Evgeny Kuznetsov
[not found] ` <cover.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
0 siblings, 2 replies; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-05 8:38 UTC (permalink / raw)
To: menage, lizf
Cc: akpm, kamezawa.hiroyu, bblum, containers, linux-kernel,
ext-eugeny.kuznetsov
Hi,
Here is patch which fixes minor bug in /kernel/cgroup.c file.
Function "strcpy" is used without check for maximum allowed source
string length and could cause destination string overflow.
Thanks,
Best Regards,
Evgeny
Evgeny Kuznetsov (1):
cgroups: strcpy destination string overflow
kernel/cgroup.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH 1/1] cgroups: strcpy destination string overflow
2010-10-05 8:38 [PATCH 0/1] cgroups: strcpy destination string overflow Evgeny Kuznetsov
@ 2010-10-05 8:38 ` Evgeny Kuznetsov
[not found] ` <2acb25707f916de866aa520b1a9f04f0f48c949c.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
2010-10-05 19:48 ` Andrew Morton
[not found] ` <cover.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
1 sibling, 2 replies; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-05 8:38 UTC (permalink / raw)
To: menage, lizf
Cc: akpm, kamezawa.hiroyu, bblum, containers, linux-kernel,
ext-eugeny.kuznetsov
From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com>
Function "strcpy" is used without check for maximum allowed source
string length and could cause destination string overflow.
Check for string length is added before using "strcpy".
Function now is return error if source string length is more than
a maximum.
Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com>
---
kernel/cgroup.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index c9483d8..82bbede 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
const char *buffer)
{
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ if (strlen(buffer) >= PATH_MAX)
+ return -EINVAL;
if (!cgroup_lock_live_group(cgrp))
return -ENODEV;
strcpy(cgrp->root->release_agent_path, buffer);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 7+ messages in thread[parent not found: <2acb25707f916de866aa520b1a9f04f0f48c949c.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>]
* Re: [PATCH 1/1] cgroups: strcpy destination string overflow
[not found] ` <2acb25707f916de866aa520b1a9f04f0f48c949c.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
@ 2010-10-05 19:48 ` Andrew Morton
0 siblings, 0 replies; 7+ messages in thread
From: Andrew Morton @ 2010-10-05 19:48 UTC (permalink / raw)
To: Evgeny Kuznetsov
Cc: bblum-OM76b2Iv3yLQjUSlxSEPGw,
ext-eugeny.kuznetsov-xNZwKgViW5gAvxtiuMwx3w,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
menage-hpIqsD4AKlfQT0dZR+AlfA
On Tue, 5 Oct 2010 12:38:05 +0400
Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org> wrote:
> From: Evgeny Kuznetsov <ext-eugeny.kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
>
> Function "strcpy" is used without check for maximum allowed source
> string length and could cause destination string overflow.
> Check for string length is added before using "strcpy".
> Function now is return error if source string length is more than
> a maximum.
>
> Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
> ---
> kernel/cgroup.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index c9483d8..82bbede 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
> const char *buffer)
> {
> BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
> + if (strlen(buffer) >= PATH_MAX)
> + return -EINVAL;
> if (!cgroup_lock_live_group(cgrp))
> return -ENODEV;
> strcpy(cgrp->root->release_agent_path, buffer);
I don't think this can happen, because cftype.max_write_len is
PATH_MAX.
But it's pretty unobvious if this is actually true, and the code is
fragile against future changes.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] cgroups: strcpy destination string overflow
2010-10-05 8:38 ` [PATCH 1/1] " Evgeny Kuznetsov
[not found] ` <2acb25707f916de866aa520b1a9f04f0f48c949c.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
@ 2010-10-05 19:48 ` Andrew Morton
2010-10-05 19:50 ` Paul Menage
[not found] ` <20101005124802.989f6214.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
1 sibling, 2 replies; 7+ messages in thread
From: Andrew Morton @ 2010-10-05 19:48 UTC (permalink / raw)
To: Evgeny Kuznetsov
Cc: menage, lizf, kamezawa.hiroyu, bblum, containers, linux-kernel,
ext-eugeny.kuznetsov
On Tue, 5 Oct 2010 12:38:05 +0400
Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote:
> From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com>
>
> Function "strcpy" is used without check for maximum allowed source
> string length and could cause destination string overflow.
> Check for string length is added before using "strcpy".
> Function now is return error if source string length is more than
> a maximum.
>
> Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com>
> ---
> kernel/cgroup.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index c9483d8..82bbede 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
> const char *buffer)
> {
> BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
> + if (strlen(buffer) >= PATH_MAX)
> + return -EINVAL;
> if (!cgroup_lock_live_group(cgrp))
> return -ENODEV;
> strcpy(cgrp->root->release_agent_path, buffer);
I don't think this can happen, because cftype.max_write_len is
PATH_MAX.
But it's pretty unobvious if this is actually true, and the code is
fragile against future changes.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 1/1] cgroups: strcpy destination string overflow
2010-10-05 19:48 ` Andrew Morton
@ 2010-10-05 19:50 ` Paul Menage
[not found] ` <20101005124802.989f6214.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
1 sibling, 0 replies; 7+ messages in thread
From: Paul Menage @ 2010-10-05 19:50 UTC (permalink / raw)
To: Andrew Morton
Cc: Evgeny Kuznetsov, lizf, kamezawa.hiroyu, bblum, containers,
linux-kernel
On Tue, Oct 5, 2010 at 12:48 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Tue, 5 Oct 2010 12:38:05 +0400
> Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote:
>
>> From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com>
>>
>> Function "strcpy" is used without check for maximum allowed source
>> string length and could cause destination string overflow.
>> Check for string length is added before using "strcpy".
>> Function now is return error if source string length is more than
>> a maximum.
>>
>> Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com>
>> ---
>> kernel/cgroup.c | 2 ++
>> 1 files changed, 2 insertions(+), 0 deletions(-)
>>
>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>> index c9483d8..82bbede 100644
>> --- a/kernel/cgroup.c
>> +++ b/kernel/cgroup.c
>> @@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
>> const char *buffer)
>> {
>> BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
>> + if (strlen(buffer) >= PATH_MAX)
>> + return -EINVAL;
>> if (!cgroup_lock_live_group(cgrp))
>> return -ENODEV;
>> strcpy(cgrp->root->release_agent_path, buffer);
>
> I don't think this can happen, because cftype.max_write_len is
> PATH_MAX.
Yes, it shouldn't be possible.
>
> But it's pretty unobvious if this is actually true, and the code is
> fragile against future changes.
Fair enough - adding the check doesn't hurt anything.
Acked-by: Paul Menage <menage@google.com>
^ permalink raw reply [flat|nested] 7+ messages in thread[parent not found: <20101005124802.989f6214.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>]
* Re: [PATCH 1/1] cgroups: strcpy destination string overflow
[not found] ` <20101005124802.989f6214.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
@ 2010-10-05 19:50 ` Paul Menage
0 siblings, 0 replies; 7+ messages in thread
From: Paul Menage @ 2010-10-05 19:50 UTC (permalink / raw)
To: Andrew Morton
Cc: bblum-OM76b2Iv3yLQjUSlxSEPGw, Evgeny Kuznetsov,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA
On Tue, Oct 5, 2010 at 12:48 PM, Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> wrote:
> On Tue, 5 Oct 2010 12:38:05 +0400
> Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org> wrote:
>
>> From: Evgeny Kuznetsov <ext-eugeny.kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
>>
>> Function "strcpy" is used without check for maximum allowed source
>> string length and could cause destination string overflow.
>> Check for string length is added before using "strcpy".
>> Function now is return error if source string length is more than
>> a maximum.
>>
>> Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
>> ---
>> kernel/cgroup.c | 2 ++
>> 1 files changed, 2 insertions(+), 0 deletions(-)
>>
>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>> index c9483d8..82bbede 100644
>> --- a/kernel/cgroup.c
>> +++ b/kernel/cgroup.c
>> @@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
>> const char *buffer)
>> {
>> BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
>> + if (strlen(buffer) >= PATH_MAX)
>> + return -EINVAL;
>> if (!cgroup_lock_live_group(cgrp))
>> return -ENODEV;
>> strcpy(cgrp->root->release_agent_path, buffer);
>
> I don't think this can happen, because cftype.max_write_len is
> PATH_MAX.
Yes, it shouldn't be possible.
>
> But it's pretty unobvious if this is actually true, and the code is
> fragile against future changes.
Fair enough - adding the check doesn't hurt anything.
Acked-by: Paul Menage <menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <cover.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>]
* [PATCH 1/1] cgroups: strcpy destination string overflow
[not found] ` <cover.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
@ 2010-10-05 8:38 ` Evgeny Kuznetsov
0 siblings, 0 replies; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-05 8:38 UTC (permalink / raw)
To: menage-hpIqsD4AKlfQT0dZR+AlfA, lizf-BthXqXjhjHXQFUHtdCDX3A
Cc: bblum-OM76b2Iv3yLQjUSlxSEPGw,
ext-eugeny.kuznetsov-xNZwKgViW5gAvxtiuMwx3w,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b
From: Evgeny Kuznetsov <ext-eugeny.kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
Function "strcpy" is used without check for maximum allowed source
string length and could cause destination string overflow.
Check for string length is added before using "strcpy".
Function now is return error if source string length is more than
a maximum.
Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
---
kernel/cgroup.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index c9483d8..82bbede 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1883,6 +1883,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
const char *buffer)
{
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ if (strlen(buffer) >= PATH_MAX)
+ return -EINVAL;
if (!cgroup_lock_live_group(cgrp))
return -ENODEV;
strcpy(cgrp->root->release_agent_path, buffer);
--
1.6.3.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-10-05 19:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-05 8:38 [PATCH 0/1] cgroups: strcpy destination string overflow Evgeny Kuznetsov
2010-10-05 8:38 ` [PATCH 1/1] " Evgeny Kuznetsov
[not found] ` <2acb25707f916de866aa520b1a9f04f0f48c949c.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
2010-10-05 19:48 ` Andrew Morton
2010-10-05 19:48 ` Andrew Morton
2010-10-05 19:50 ` Paul Menage
[not found] ` <20101005124802.989f6214.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2010-10-05 19:50 ` Paul Menage
[not found] ` <cover.1286193571.git.EXT-Eugeny.Kuznetsov-xNZwKgViW5gAvxtiuMwx3w@public.gmane.org>
2010-10-05 8:38 ` Evgeny Kuznetsov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.