Re: Mysterious string truncation in 2.4.25 kernel

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Glen Nakamura <glen@imodulo.com>
To: James Morris <jmorris@redhat.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Mysterious string truncation in 2.4.25 kernel
Date: Tue, 2 Mar 2004 19:35:47 -1000	[thread overview]
Message-ID: <20040303053547.GA3160@modulo.internal> (raw)
In-Reply-To: <Xine.LNX.4.44.0403022302030.31759-100000@thoron.boston.redhat.com>

On Tue, Mar 02, 2004 at 11:03:15PM -0500, James Morris wrote:
> I don't see how the patch could be related to the problem you are seeing.  

Thanks for the response...  I took another look and my current theory is
that the problem occurs in the following invocation of do_mount:

void __init mount_devfs_fs (void)
{
    int err;

    if ( !(boot_options & OPTION_MOUNT) ) return;
    if (err == 0) printk (KERN_INFO "Mounted devfs on /dev\n");
    else PRINTK ("(): unable to mount devfs, err: %d\n", err);
}   /*  End Function mount_devfs_fs  */

This call to do_mount is on line 3552 of fs/devfs/base.c and passes a const
string as the data_page parameter.  Then in do_mount in fs/namespace.c on
line 718:

	if (data_page)
		((char *)data_page)[PAGE_SIZE - 1] = 0;

The above statement zeros a byte that is out of bounds and corrupts another
string in the same section of memory.  In my build, this happens to truncate
the "serial" string to "se".

So is it really safe to simply zero the byte at [PAGE_SIZE - 1]?
The comment says "up to PAGE_SIZE-1 bytes", _not_ "exactly PAGE_SIZE-1 bytes".
It doesn't mention anything about padding, etc.

Of course, perhaps 0 should passed instead of "" for data_page?

-    err = do_mount ("none", "/dev", "devfs", 0, "");
+    err = do_mount ("none", "/dev", "devfs", 0, 0);

Comments?

- glen

next prev parent reply	other threads:[~2004-03-03  5:35 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-02 23:53 Mysterious string truncation in 2.4.25 kernel Glen Nakamura
2004-03-03  4:03 ` James Morris
2004-03-03  5:35   ` Glen Nakamura [this message]
2004-03-03  5:43     ` Glen Nakamura
2004-03-03  5:49     ` James Morris
2004-03-03  9:41       ` Herbert Xu
2004-03-03 10:18       ` Marcelo Tosatti
2004-03-03 13:51         ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040303053547.GA3160@modulo.internal \
    --to=glen@imodulo.com \
    --cc=jmorris@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox