[PATCH] uml: fix hostfs lookup

[PATCH] uml: fix hostfs lookup

[Miklos Szeredi]

From: Miklos Szeredi <mszeredi@suse.cz>

commit e9193059 (hostfs: fix races in dentry_name() and inode_name())
broke hostfs lookup.

The cause of the bug is that strncpy() zero fills the whole buffer.

Replace strncpy() with memcpy() and replace open coded memory move
with memmove().

Reported-by: Jouni Malinen <jkmalinen@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/hostfs/hostfs_kern.c |   14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

Index: linux-2.6/fs/hostfs/hostfs_kern.c
===================================================================
--- linux-2.6.orig/fs/hostfs/hostfs_kern.c	2010-08-18 14:53:22.000000000 +0200
+++ linux-2.6/fs/hostfs/hostfs_kern.c	2010-08-18 15:04:25.000000000 +0200
@@ -100,20 +100,12 @@ static char *__dentry_name(struct dentry
 
 	root = dentry->d_sb->s_fs_info;
 	len = strlen(root);
-	if (IS_ERR(p)) {
+	if (IS_ERR(p) || len > p - name) {
 		__putname(name);
 		return NULL;
 	}
-	strncpy(name, root, PATH_MAX);
-	if (len > p - name) {
-		__putname(name);
-		return NULL;
-	}
-	if (p > name + len) {
-		char *s = name + len;
-		while ((*s++ = *p++) != '\0')
-			;
-	}
+	memcpy(name, root, len);
+	memmove(name + len, p, PATH_MAX - (p - name) + 1);
 	return name;
 }
 

Re: [PATCH] uml: fix hostfs lookup

[Miklos Szeredi]

Oops, sorry.  Off-by-one bug crept in there.

Updated patch follows.

Thanks,
Miklos

----
Subject: uml: fix hostfs lookup

From: Miklos Szeredi <mszeredi@suse.cz>

commit e9193059 (hostfs: fix races in dentry_name() and inode_name())
broke hostfs lookup.

The cause of the bug was that strncpy() zero fills the whole buffer.

Replace strncpy() with memcpy() and replace open coded memory move
with memmove().

Reported-by: Jouni Malinen <jkmalinen@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
 fs/hostfs/hostfs_kern.c |   14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

Index: linux-2.6/fs/hostfs/hostfs_kern.c
===================================================================
--- linux-2.6.orig/fs/hostfs/hostfs_kern.c	2010-08-18 15:09:07.000000000 +0200
+++ linux-2.6/fs/hostfs/hostfs_kern.c	2010-08-18 15:36:34.000000000 +0200
@@ -100,20 +100,12 @@ static char *__dentry_name(struct dentry
 
 	root = dentry->d_sb->s_fs_info;
 	len = strlen(root);
-	if (IS_ERR(p)) {
+	if (IS_ERR(p) || len > p - name) {
 		__putname(name);
 		return NULL;
 	}
-	strncpy(name, root, PATH_MAX);
-	if (len > p - name) {
-		__putname(name);
-		return NULL;
-	}
-	if (p > name + len) {
-		char *s = name + len;
-		while ((*s++ = *p++) != '\0')
-			;
-	}
+	memcpy(name, root, len);
+	memmove(name + len, p, PATH_MAX - (p - name));
 	return name;
 }
 

Re: [PATCH] uml: fix hostfs lookup

[Al Viro]

On Wed, Aug 18, 2010 at 03:39:49PM +0200, Miklos Szeredi wrote:
> Oops, sorry.  Off-by-one bug crept in there.

It's already fixed in the queue (see #untested in vfs-2.6)

Re: [PATCH] uml: fix hostfs lookup

[Miklos Szeredi]

On Wed, 18 Aug 2010, Al Viro wrote:
> On Wed, Aug 18, 2010 at 03:39:49PM +0200, Miklos Szeredi wrote:
> > Oops, sorry.  Off-by-one bug crept in there.
> 
> It's already fixed in the queue (see #untested in vfs-2.6)

Your fix is still wrong for the pathological case of len == p - name,
that's why I opted not to use strlcpy.

Thanks,
Miklos