From: Andrew Morton <akpm@linux-foundation.org>
To: "Petr Tesa__ík" <ptesarik@suse.cz>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] free pages in remove_arg_zero()
Date: Wed, 21 Feb 2007 15:41:59 -0800 [thread overview]
Message-ID: <20070221154159.d316d526.akpm@linux-foundation.org> (raw)
In-Reply-To: <1171978145.22720.21.camel@golias.tesarici.cz>
On Tue, 20 Feb 2007 14:29:04 +0100
Petr Tesa____k <ptesarik@suse.cz> wrote:
> I've found a bug when executing scripts:
You've found more than that.
> When a script is loaded, load_script() replaces argv[0] with the
> name of the interpreter and the filename passed to the exec syscall.
> However, there is no guarantee that the length of the interpreter
> name plus the length of the filename is greater than the length of
> the original argv[0]. If the difference happens to cross a page boundary,
> setup_arg_pages() will call install_arg_page() with an address outside
> the VMA.
>
> Therefore, remove_arg_zero() must free all pages which would be unused
> after the argument is removed.
>
> Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
>
> --- linux-sles9.orig/fs/exec.c
> +++ linux-sles9/fs/exec.c
> @@ -1000,6 +1000,8 @@ void remove_arg_zero(struct linux_binprm
> continue;
> offset = 0;
> kunmap_atomic(kaddr, KM_USER0);
> + __free_page(page);
> + bprm->page[bprm->p/PAGE_SIZE - 1] = NULL;
> inside:
> page = bprm->page[bprm->p/PAGE_SIZE];
> kaddr = kmap_atomic(page, KM_USER0);
I am not surprised that remove_arg_zero() is buggy. Let us look at the
stupid thing:
void remove_arg_zero(struct linux_binprm *bprm)
{
if (bprm->argc) {
unsigned long offset;
char * kaddr;
struct page *page;
offset = bprm->p % PAGE_SIZE;
goto inside;
while (bprm->p++, *(kaddr+offset++)) {
if (offset != PAGE_SIZE)
continue;
offset = 0;
kunmap_atomic(kaddr, KM_USER0);
inside:
page = bprm->page[bprm->p/PAGE_SIZE];
kaddr = kmap_atomic(page, KM_USER0);
}
kunmap_atomic(kaddr, KM_USER0);
bprm->argc--;
}
}
I mean.... what the hell?
As you appear to have managed to work out what the sorry thing is trying to
do, would you have time to simply rip it out and completely rewrite it,
including a nice comment telling the world what this function's function is?
Because what we have there is beyond repairing.
Thanks.
next prev parent reply other threads:[~2007-02-21 23:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-20 13:29 [PATCH] free pages in remove_arg_zero() Petr Tesařík
2007-02-21 23:41 ` Andrew Morton [this message]
2007-03-07 22:09 ` [PATCH] remove_arg_zero() rewrite Peter Zijlstra
2007-03-07 22:41 ` Andrew Morton
2007-03-07 22:55 ` Peter Zijlstra
2007-03-07 23:05 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070221154159.d316d526.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ptesarik@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox