From: Rob Landley <rlandley@parallels.com>
To: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Ensure user-supplied string null terminated before kstrdup()
Date: Thu, 3 Feb 2011 21:48:08 -0600 [thread overview]
Message-ID: <4D4B76F8.8060500@parallels.com> (raw)
In-Reply-To: <1296788385.2957.8.camel@heimdal.trondhjem.org>
On 02/03/2011 08:59 PM, Trond Myklebust wrote:
> On Thu, 2011-02-03 at 16:13 -0600, Rob Landley wrote:
>> From: Rob Landley <rlandley@parallels.com>
>>
>> Make sure user string is null terminated before copying it.
>>
>> Signed-off-by: Rob Landley <rlandley@parallels.com>
>> ---
>>
>> fs/nfs/super.c | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
>> index b68c860..0ad1255 100644
>> --- a/fs/nfs/super.c
>> +++ b/fs/nfs/super.c
>> @@ -1881,9 +1881,12 @@ static int nfs_validate_mount_data(void *options,
>>
>> if (!(data->flags & NFS_MOUNT_TCP))
>> args->nfs_server.protocol = XPRT_TRANSPORT_UDP;
>> + /* Force null termination of data->hostname no matter what
>> + user passed in. */
>> + args->namlen = data->namlen;
>> + data->namlen = 0;
>> /* N.B. caller will free nfs_server.hostname in all cases */
>> args->nfs_server.hostname = kstrdup(data->hostname, GFP_KERNEL);
>> - args->namlen = data->namlen;
>> args->bsize = data->bsize;
>>
>> if (data->flags & NFS_MOUNT_SECFLAVOUR)
>
> The "namlen" mount option bears absolutely no relation to the server
> hostname AFAIK. I can't see how this patch makes sense...
That field is right after the hostname in the struct, therefore if it's
zeroed the data->hostname is guaranteed to be null terminated at the end
of its nominal range. (A bit subtle, hence the comment.)
This isn't necessarily the proper fix, but I don't see why the user
can't feed in a "data" blob with an arbitrarily long hostname. This is
user supplied data we're arbitrarily kstrdup()ing without checking it,
right? (Is there a size limit on the option string? Does the range
check on userspace pointers prevent it from being right _before_
something we shouldn't read and padding up to it?)
Entirely possible this is benign and irrelevant, and you probably have
to be root to trigger it, but it's the kind of security "huh" I thought
I'd ping the list about rather than assuming my inability to figure out
how to exploit it of the top of my head means there's nothing lurking.
Rob
next prev parent reply other threads:[~2011-02-04 3:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-03 22:13 [PATCH] Ensure user-supplied string null terminated before kstrdup() Rob Landley
2011-02-04 2:59 ` Trond Myklebust
2011-02-04 3:48 ` Rob Landley [this message]
2011-02-04 4:21 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D4B76F8.8060500@parallels.com \
--to=rlandley@parallels.com \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.