Re: [CHECKER] potential dereference of user pointer errors

Chris Wright (chris@wirex.com)
Fri, 21 Mar 2003 16:32:54 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: john stultz: "[RFC] [PATCH] linux-2.5.56_clock-override_A1"
Previous message: Greg KH: "Re: [CHECKER] potential dereference of user pointer errors"

* Junfeng Yang (yjf@stanford.edu) wrote:
>
> [UNKNOWN] sys_quotaoctl is a real system call. The entry point is at
> entry.S. But this file is under subdir fs. So there must be something we
> are missing
>
> /home/junfeng/linux-2.5.63/fs/block_dev.c:817:lookup_bdev: ERROR:TAINTED
> deferencing "path" tainted by [dist=1][called by
> /home/junfeng/linux-2.5.63/fs/quota.c:sys_quotactl:parm1]

Yup, this is a bug, should have a getname() in there. Patch below.

thanks,
-chris

-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

===== fs/quota.c 1.12 vs edited =====
--- 1.12/fs/quota.c	Sun Feb  2 13:40:31 2003
+++ edited/fs/quota.c	Fri Mar 21 16:25:46 2003
@@ -221,12 +221,17 @@
 	uint cmds, type;
 	struct super_block *sb = NULL;
 	struct block_device *bdev;
+	char *tmp;
 	int ret = -ENODEV;
 
 	cmds = cmd >> SUBCMDSHIFT;
 	type = cmd & SUBCMDMASK;
 
-	bdev = lookup_bdev(special);
+	tmp = getname(special);
+	if (IS_ERR(tmp))
+		return PTR_ERR(tmp);
+	bdev = lookup_bdev(tmp);
+	putname(tmp);
 	if (IS_ERR(bdev))
 		return PTR_ERR(bdev);
 	sb = get_super(bdev);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: john stultz: "[RFC] [PATCH] linux-2.5.56_clock-override_A1"
Previous message: Greg KH: "Re: [CHECKER] potential dereference of user pointer errors"