* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface [not found] <OF06EBF3D5.39937A14-ON87256CDB.004FD627@us.ibm.com> @ 2003-02-28 14:59 ` Kevin Corry 2003-02-28 18:14 ` Horst von Brand 0 siblings, 1 reply; 10+ messages in thread From: Kevin Corry @ 2003-02-28 14:59 UTC (permalink / raw) To: Joe Perches, LKML; +Cc: Linus Torvalds, Joe Thornber On Friday 28 February 2003 08:32, you wrote: > On Thu, 2003-02-27 at 14:05, Kevin Corry wrote: > > Unfortunately, Linus seems to have committed that patch already. So here > > is a patch to fix just that line. > > > > Thanks for catching that. > > Third time, strlen isn't necessary, it can be done at compile time. > > --- a/drivers/md/dm-ioctl.c 2003/02/27 16:29:58 > +++ b/drivers/md/dm-ioctl.c 2003/02/27 17:21:54 > @@ -174,7 +174,7 @@ > static int register_with_devfs(struct hash_cell *hc) > { > struct gendisk *disk = dm_disk(hc->md); > - char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); > + char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR)); > if (!name) { > return -ENOMEM; > } Sorry, I sent the last patch before I got your email. Also, the "+1" is still necessary, even if we switch to sizeof. The sprintf call that follows copies DM_DIR, followed by a slash, followed by the name from the hash table into the allocated string. The "+1" is for the slash in the middle. The terminating NULL character is accounted for in DM_NAME_LEN. Linus, here is (yet another!) patch against current BK. -- Kevin Corry corryk@us.ibm.com http://evms.sourceforge.net/ --- linux-2.5.63-bk4a/drivers/md/dm-ioctl.c Fri Feb 28 08:43:19 2003 +++ linux-2.5.63-bk4b/drivers/md/dm-ioctl.c Fri Feb 28 08:44:08 2003 @@ -174,7 +174,7 @@ static int register_with_devfs(struct hash_cell *hc) { struct gendisk *disk = dm_disk(hc->md); - char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL); + char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR) + 1, GFP_KERNEL); if (!name) { return -ENOMEM; } ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-28 14:59 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Kevin Corry @ 2003-02-28 18:14 ` Horst von Brand 2003-02-28 18:31 ` Kevin Corry 0 siblings, 1 reply; 10+ messages in thread From: Horst von Brand @ 2003-02-28 18:14 UTC (permalink / raw) To: Kevin Corry; +Cc: Joe Perches, LKML, Linus Torvalds, Joe Thornber Kevin Corry <corryk@us.ibm.com> said: > On Friday 28 February 2003 08:32, you wrote: > > On Thu, 2003-02-27 at 14:05, Kevin Corry wrote: > > > Unfortunately, Linus seems to have committed that patch already. So here > > > is a patch to fix just that line. > > > > > > Thanks for catching that. > > > > Third time, strlen isn't necessary, it can be done at compile time. > > > > --- a/drivers/md/dm-ioctl.c 2003/02/27 16:29:58 > > +++ b/drivers/md/dm-ioctl.c 2003/02/27 17:21:54 > > @@ -174,7 +174,7 @@ > > static int register_with_devfs(struct hash_cell *hc) > > { > > struct gendisk *disk = dm_disk(hc->md); > > - char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); > > + char *name = kmalloc(DM_NAME_LEN + sizeof(DM_DIR)); > > if (!name) { > > return -ENOMEM; > > } > > Sorry, I sent the last patch before I got your email. > > Also, the "+1" is still necessary, even if we switch to sizeof. The sprintf > call that follows copies DM_DIR, followed by a slash, followed by the name > from the hash table into the allocated string. The "+1" is for the slash in > the middle. The terminating NULL character is accounted for in > DM_NAME_LEN. Then it was broken before. sizeof("1234") == strlen("1234") + 1 == 5 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-28 18:14 ` Horst von Brand @ 2003-02-28 18:31 ` Kevin Corry 0 siblings, 0 replies; 10+ messages in thread From: Kevin Corry @ 2003-02-28 18:31 UTC (permalink / raw) To: Horst von Brand; +Cc: Joe Perches, LKML, Linus Torvalds, Joe Thornber On Friday 28 February 2003 12:14, Horst von Brand wrote: > Kevin Corry <corryk@us.ibm.com> said: > > Also, the "+1" is still necessary, even if we switch to sizeof. The > > sprintf call that follows copies DM_DIR, followed by a slash, followed by > > the name from the hash table into the allocated string. The "+1" is for > > the slash in the middle. The terminating NULL character is accounted for > > in > > DM_NAME_LEN. > > Then it was broken before. > > sizeof("1234") == strlen("1234") + 1 == 5 Hmmm...wasn't aware of that. I guess I never expected there to be a difference. If that's the case, then Joe Perches' earlier patch should do the trick, albiet for obscure reasons. And I wouldn't say it was broken the other way; it was simply allocating one byte more than necessary. -- Kevin Corry corryk@us.ibm.com http://evms.sourceforge.net/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* device-mapper patchset 2.5.63-dm-1 @ 2003-02-26 17:05 Joe Thornber 2003-02-26 17:09 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Joe Thornber 0 siblings, 1 reply; 10+ messages in thread From: Joe Thornber @ 2003-02-26 17:05 UTC (permalink / raw) To: Linus Torvalds, Linux Mailing List; +Cc: joe Linus, Here's the latest set of device mapper patches against 2.5.63. All trivial. Please apply. Thanks, - Joe ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-26 17:05 device-mapper patchset 2.5.63-dm-1 Joe Thornber @ 2003-02-26 17:09 ` Joe Thornber 2003-02-26 21:04 ` Horst von Brand 0 siblings, 1 reply; 10+ messages in thread From: Joe Thornber @ 2003-02-26 17:09 UTC (permalink / raw) To: Linus Torvalds, Linux Mailing List Use the correct size for "name" in register_with_devfs(). During Al Viro's devfs cleanup a few versions ago, this function was rewritten, and the "name" string added. The 32-byte size is not large enough to prevent a possible buffer overflow in the sprintf() call, since the hash cell can have a name up to 128 characters. [Kevin Corry] --- diff/drivers/md/dm-ioctl.c 2003-02-26 16:09:42.000000000 +0000 +++ source/drivers/md/dm-ioctl.c 2003-02-26 16:09:52.000000000 +0000 @@ -173,7 +173,7 @@ */ static int register_with_devfs(struct hash_cell *hc) { - char name[32]; + char name[DM_NAME_LEN + strlen(DM_DIR) + 1]; struct gendisk *disk = dm_disk(hc->md); sprintf(name, DM_DIR "/%s", hc->name); ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-26 17:09 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Joe Thornber @ 2003-02-26 21:04 ` Horst von Brand 2003-02-27 14:20 ` Kevin Corry 0 siblings, 1 reply; 10+ messages in thread From: Horst von Brand @ 2003-02-26 21:04 UTC (permalink / raw) To: Joe Thornber; +Cc: Linus Torvalds, Linux Mailing List, vonbrand Joe Thornber <joe@fib011235813.fsnet.co.uk> said: > Use the correct size for "name" in register_with_devfs(). > > During Al Viro's devfs cleanup a few versions ago, this function was > rewritten, and the "name" string added. The 32-byte size is not large > enough to prevent a possible buffer overflow in the sprintf() call, > since the hash cell can have a name up to 128 characters. > > [Kevin Corry] > > --- diff/drivers/md/dm-ioctl.c 2003-02-26 16:09:42.000000000 +0000 > +++ source/drivers/md/dm-ioctl.c 2003-02-26 16:09:52.000000000 +0000 > @@ -173,7 +173,7 @@ > */ > static int register_with_devfs(struct hash_cell *hc) > { > - char name[32]; > + char name[DM_NAME_LEN + strlen(DM_DIR) + 1]; This either makes a large name array or generates a possibly huge array at runtime (bad if your stack is < 8KiB). -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-26 21:04 ` Horst von Brand @ 2003-02-27 14:20 ` Kevin Corry 2003-02-27 14:36 ` Kevin Corry 0 siblings, 1 reply; 10+ messages in thread From: Kevin Corry @ 2003-02-27 14:20 UTC (permalink / raw) To: Horst von Brand, Joe Thornber Cc: Linus Torvalds, Linux Mailing List, vonbrand On Wednesday 26 February 2003 15:04, Horst von Brand wrote: > Joe Thornber <joe@fib011235813.fsnet.co.uk> said: > > Use the correct size for "name" in register_with_devfs(). > > > > During Al Viro's devfs cleanup a few versions ago, this function was > > rewritten, and the "name" string added. The 32-byte size is not large > > enough to prevent a possible buffer overflow in the sprintf() call, > > since the hash cell can have a name up to 128 characters. > > > > [Kevin Corry] > > > > --- diff/drivers/md/dm-ioctl.c 2003-02-26 16:09:42.000000000 +0000 > > +++ source/drivers/md/dm-ioctl.c 2003-02-26 16:09:52.000000000 +0000 > > @@ -173,7 +173,7 @@ > > */ > > static int register_with_devfs(struct hash_cell *hc) > > { > > - char name[32]; > > + char name[DM_NAME_LEN + strlen(DM_DIR) + 1]; > > This either makes a large name array or generates a possibly huge array at > runtime (bad if your stack is < 8KiB). Would this be better? -- Kevin Corry corryk@us.ibm.com http://evms.sourceforge.net/ --- linux-2.5.60a/drivers/md/dm-ioctl.c 2003/02/13 16:43:26 +++ linux-2.5.60b/drivers/md/dm-ioctl.c 2003/02/27 14:17:00 @@ -173,8 +173,11 @@ */ static int register_with_devfs(struct hash_cell *hc) { - char name[DM_NAME_LEN + strlen(DM_DIR) + 1]; struct gendisk *disk = dm_disk(hc->md); + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); + if (!name) { + return -ENOMEM; + } sprintf(name, DM_DIR "/%s", hc->name); devfs_register(NULL, name, DEVFS_FL_CURRENT_OWNER, \x10 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-27 14:20 ` Kevin Corry @ 2003-02-27 14:36 ` Kevin Corry 2003-02-27 16:25 ` Roland Dreier 0 siblings, 1 reply; 10+ messages in thread From: Kevin Corry @ 2003-02-27 14:36 UTC (permalink / raw) To: Horst von Brand, Joe Thornber; +Cc: Linus Torvalds, Linux Mailing List On Thursday 27 February 2003 08:20, Kevin Corry wrote: > On Wednesday 26 February 2003 15:04, Horst von Brand wrote: > > Joe Thornber <joe@fib011235813.fsnet.co.uk> said: > > > Use the correct size for "name" in register_with_devfs(). > > > > > > During Al Viro's devfs cleanup a few versions ago, this function was > > > rewritten, and the "name" string added. The 32-byte size is not large > > > enough to prevent a possible buffer overflow in the sprintf() call, > > > since the hash cell can have a name up to 128 characters. > > > > > > [Kevin Corry] > > > > > > --- diff/drivers/md/dm-ioctl.c 2003-02-26 16:09:42.000000000 +0000 > > > +++ source/drivers/md/dm-ioctl.c 2003-02-26 16:09:52.000000000 +0000 > > > @@ -173,7 +173,7 @@ > > > */ > > > static int register_with_devfs(struct hash_cell *hc) > > > { > > > - char name[32]; > > > + char name[DM_NAME_LEN + strlen(DM_DIR) + 1]; > > > > This either makes a large name array or generates a possibly huge array > > at runtime (bad if your stack is < 8KiB). > > Would this be better? As Joe pointed out to me, that should have been: --- linux-2.5.60a/drivers/md/dm-ioctl.c 2003/02/13 16:43:26 +++ linux-2.5.60b/drivers/md/dm-ioctl.c 2003/02/27 14:35:20 @@ -173,14 +173,18 @@ */ static int register_with_devfs(struct hash_cell *hc) { - char name[DM_NAME_LEN + strlen(DM_DIR) + 1]; struct gendisk *disk = dm_disk(hc->md); + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); + if (!name) { + return -ENOMEM; + } sprintf(name, DM_DIR "/%s", hc->name); devfs_register(NULL, name, DEVFS_FL_CURRENT_OWNER, disk->major, disk->first_minor, S_IFBLK | S_IRUSR | S_IWUSR | S_IRGRP, &dm_blk_dops, NULL); + kfree(name); return 0; } ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-27 14:36 ` Kevin Corry @ 2003-02-27 16:25 ` Roland Dreier 2003-02-27 16:34 ` Kevin Corry 2003-02-27 22:05 ` Kevin Corry 0 siblings, 2 replies; 10+ messages in thread From: Roland Dreier @ 2003-02-27 16:25 UTC (permalink / raw) To: Kevin Corry; +Cc: Linux Mailing List > + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); > + if (!name) { > + return -ENOMEM; > + } Also, kmalloc() needs a second "GFP_xxx" parameter (I guess GFP_KERNEL in this case, although I don't know the context this function is called from). - Roland ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-27 16:25 ` Roland Dreier @ 2003-02-27 16:34 ` Kevin Corry 2003-02-27 22:05 ` Kevin Corry 1 sibling, 0 replies; 10+ messages in thread From: Kevin Corry @ 2003-02-27 16:34 UTC (permalink / raw) To: Roland Dreier, Joe Thornber; +Cc: Linux Mailing List, Linus Torvalds On Thursday 27 February 2003 10:25, Roland Dreier wrote: > > + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); > > + if (!name) { > > + return -ENOMEM; > > + } > > Also, kmalloc() needs a second "GFP_xxx" parameter (I guess GFP_KERNEL > in this case, although I don't know the context this function is > called from). > > - Roland Dammit! I'm not having a good morning. :( Unfortunately, Linus seems to have committed that patch already. So here is a patch to fix just that line. Thanks for catching that. -- Kevin Corry corryk@us.ibm.com http://evms.sourceforge.net/ --- a/drivers/md/dm-ioctl.c 2003/02/27 16:29:58 +++ b/drivers/md/dm-ioctl.c 2003/02/27 16:30:03 @@ -174,7 +174,7 @@ static int register_with_devfs(struct hash_cell *hc) { struct gendisk *disk = dm_disk(hc->md); - char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL); if (!name) { return -ENOMEM; } ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface 2003-02-27 16:25 ` Roland Dreier 2003-02-27 16:34 ` Kevin Corry @ 2003-02-27 22:05 ` Kevin Corry 1 sibling, 0 replies; 10+ messages in thread From: Kevin Corry @ 2003-02-27 22:05 UTC (permalink / raw) To: Roland Dreier, Linus Torvalds; +Cc: Linux Mailing List [Sent this earlier, but it doesn't seem to have shown up yet. My outgoing email server seems to flake out at times. Sorry if this is a duplicate, but it seemed important enough to resend, since we'd like to avoid the extra compile failure.] On Thursday 27 February 2003 10:25, Roland Dreier wrote: > > + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); > > + if (!name) { > > + return -ENOMEM; > > + } > > Also, kmalloc() needs a second "GFP_xxx" parameter (I guess GFP_KERNEL > in this case, although I don't know the context this function is > called from). > > - Roland Dammit! I'm not having a good morning. :( Unfortunately, Linus seems to have committed that patch already. So here is a patch to fix just that line. Thanks for catching that. -- Kevin Corry corryk@us.ibm.com http://evms.sourceforge.net/ --- a/drivers/md/dm-ioctl.c 2003/02/27 16:29:58 +++ b/drivers/md/dm-ioctl.c 2003/02/27 17:21:54 @@ -174,7 +174,7 @@ static int register_with_devfs(struct hash_cell *hc) { struct gendisk *disk = dm_disk(hc->md); - char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1); + char *name = kmalloc(DM_NAME_LEN + strlen(DM_DIR) + 1, GFP_KERNEL); if (!name) { return -ENOMEM; } ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2003-02-28 18:25 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <OF06EBF3D5.39937A14-ON87256CDB.004FD627@us.ibm.com>
2003-02-28 14:59 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Kevin Corry
2003-02-28 18:14 ` Horst von Brand
2003-02-28 18:31 ` Kevin Corry
2003-02-26 17:05 device-mapper patchset 2.5.63-dm-1 Joe Thornber
2003-02-26 17:09 ` [PATCH 3/8] dm: prevent possible buffer overflow in ioctl interface Joe Thornber
2003-02-26 21:04 ` Horst von Brand
2003-02-27 14:20 ` Kevin Corry
2003-02-27 14:36 ` Kevin Corry
2003-02-27 16:25 ` Roland Dreier
2003-02-27 16:34 ` Kevin Corry
2003-02-27 22:05 ` Kevin Corry
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox