Re: [PATCH] 2.2.20: Avoid buffer overrun in quota warning

Jan Kara (jack@suse.cz)
Wed, 3 Oct 2001 20:11:51 +0200

Hello,

> > Actually that delayed printing of quota messages isn't even in regular
> >2.4 - it's just in ac-patches. Regular 2.4 has just print_warning()
> >function which works rather the same way as printing in 2.2.
>
> Regular 2.4 prints bdevname(dquot->dq_sb->s_dev) rather than
> dquot->dq_mnt->mnt_dirname, so is rather less likely to have the same
> sprintf() overrun problems.
I've created patch for 2.2.18 kernel (applies well against 2.2.19 too) which
makes quota code print bdevname() rather that mountpoint and so avoids
possible overrun. Actually this overrun is possible only if root makes
mountpoint deep in directory structure so IMO there's no possibility for
exploit but anyway... Alan please apply the patch.

Honza

--
Jan Kara <jack@suse.cz>
SuSE Labs


<cut>
----------------------------------------------------------------------
diff -ru -X /home/jack/.kerndiffexclude linux-2.2.18/fs/dquot.c linux-2.2.18-overflowfix/fs/dquot.c
--- linux-2.2.18/fs/dquot.c	Fri Dec 15 17:27:15 2000
+++ linux-2.2.18-overflowfix/fs/dquot.c	Mon Oct  1 22:43:08 2001
@@ -848,7 +848,7 @@
 		if ((dquot->dq_flags & DQ_INODES) == 0 &&
                      need_print_warning(type, initiator, dquot)) {
 			sprintf(quotamessage, "%s: write failed, %s file limit reached\n",
-			        dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+			        bdevname(dquot->dq_dev), quotatypes[type]);
 			tty_write_message(tty, quotamessage);
 			dquot->dq_flags |= DQ_INODES;
 		}
@@ -861,7 +861,7 @@
             !ignore_hardlimit(dquot, initiator)) {
                 if (need_print_warning(type, initiator, dquot)) {
 			sprintf(quotamessage, "%s: warning, %s file quota exceeded too long.\n",
-		        	dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+		        	bdevname(dquot->dq_dev), quotatypes[type]);
 			tty_write_message(tty, quotamessage);
 		}
 		return(NO_QUOTA);
@@ -872,7 +872,7 @@
 	    dquot->dq_itime == 0) {
                 if (need_print_warning(type, initiator, dquot)) {
 			sprintf(quotamessage, "%s: warning, %s file quota exceeded\n",
-		        	dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+		        	bdevname(dquot->dq_dev), quotatypes[type]);
 			tty_write_message(tty, quotamessage);
 		}
 		dquot->dq_itime = CURRENT_TIME + dquot->dq_mnt->mnt_dquot.inode_expire[type];
@@ -893,7 +893,7 @@
 		if (warn && (dquot->dq_flags & DQ_BLKS) == 0 &&
                      need_print_warning(type, initiator, dquot)) {
 			sprintf(quotamessage, "%s: write failed, %s disk limit reached.\n",
-			        dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+			        bdevname(dquot->dq_dev), quotatypes[type]);
 			tty_write_message(tty, quotamessage);
 			dquot->dq_flags |= DQ_BLKS;
 		}
@@ -906,7 +906,7 @@
             !ignore_hardlimit(dquot, initiator)) {
                 if (warn && need_print_warning(type, initiator, dquot)) {
 			sprintf(quotamessage, "%s: write failed, %s disk quota exceeded too long.\n",
-		        	dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+		        	bdevname(dquot->dq_dev), quotatypes[type]);
 			tty_write_message(tty, quotamessage);
 		}
 		return(NO_QUOTA);
@@ -917,7 +917,7 @@
 	    dquot->dq_btime == 0) {
                 if (warn && need_print_warning(type, initiator, dquot)) {
 			sprintf(quotamessage, "%s: warning, %s disk quota exceeded\n",
-		        	dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+		        	bdevname(dquot->dq_dev), quotatypes[type]);
 			tty_write_message(tty, quotamessage);
 		}
 		dquot->dq_btime = CURRENT_TIME + dquot->dq_mnt->mnt_dquot.block_expire[type];
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/