From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Charley (Hao Chuan) Chu" <charley.chu@broadcom.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] FS: Fixed buffer overflow issue in seq_read()
Date: Tue, 19 Nov 2013 01:26:47 +0000 [thread overview]
Message-ID: <20131119012647.GB10323@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFyE=EDqMt1E94FSOFNEVWMS+mNVsJZYwiRmWfyB5HkykA@mail.gmail.com>
On Mon, Nov 18, 2013 at 04:38:03PM -0800, Linus Torvalds wrote:
> Hmm.. Al - this looks like a major oversight, but it also looks like
> the wrong place to initialize count/from in, just because it doesn't
> follow any sane patterns.
>
> My gut feel is that this needs more cleanup and some sane helper
> function that always initializes those fields when allocating a new
> buffer. Rather than the "initialize in random places and then miss a
> few".
>
> Afaik, those fields currently get (re-)initialized when:
>
> - We do the memset() of the whole seq_file structure at seq_open() time.
>
> - at the top of traverse()
>
> - count (but not from) gets reinitialized when growing the buffer or
> after traverse() fails in seq_read()
>
> and it really doesn't give me that happy fuzzy feeling of "that all
> makes sense". Charley's patch seems to fix a missing initialization,
> but I'd *really* like to have it all make more sense, and feel that
> we're not missing some *other* initialization.
>
> Al?
See upthread. The bug is real, but I would rather go for a different
fix; it's not worth helper functions, though - we have exactly two places
where free m->buf without freeing m itself, and all we need to do is
clearing m->count in those two places. No point delaying that to the
next call of seq_read() (and no point cleaning m->from at all), as soon
as we free m->buf we obviously lose all the data that might've been in it.
next prev parent reply other threads:[~2013-11-19 1:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-19 0:18 [PATCH] FS: Fixed buffer overflow issue in seq_read() Charley (Hao Chuan) Chu
2013-11-19 0:38 ` Linus Torvalds
2013-11-19 1:26 ` Al Viro [this message]
2013-11-19 1:20 ` Al Viro
2013-11-19 3:13 ` Linus Torvalds
2013-11-19 3:28 ` Al Viro
2013-11-19 3:33 ` Linus Torvalds
2013-11-19 21:22 ` Charley (Hao Chuan) Chu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131119012647.GB10323@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=charley.chu@broadcom.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.