Hi Marcelo,
there isn't fixed the d_path() long name truncation vulnerability
(see http://cert.uni-stuttgart.de/archive/bugtraq/2002/03/msg00384.html) =
in
2.4.x up to 2.4.21-BK.
This trivial patch fixes it. Instead of truncating the path with no error=
,=20
caller gets ENAMETOOLONG.
Patch credits go to Jirka Kosina.
Has been in WOLK and in -aa kernels for ages.
ciao, Marc
--------------Boundary-00=_9JTVTG8HNGHZYPFLX1KM
Content-Type: text/x-diff;
charset="us-ascii";
name="getcwd-err-1.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="getcwd-err-1.patch"
--- linux/fs/dcache.c.orig Mon Feb 25 20:38:08 2002
+++ linux/fs/dcache.c Mon Apr 1 04:16:45 2002
@@ -976,14 +976,17 @@
parent = dentry->d_parent;
namelen = dentry->d_name.len;
buflen -= namelen + 1;
- if (buflen < 0)
- break;
+ if (buflen < 0){
+ retval = ERR_PTR(-ENAMETOOLONG);
+ goto out;
+ }
end -= namelen;
memcpy(end, dentry->d_name.name, namelen);
*--end = '/';
retval = end;
dentry = parent;
}
+out:
return retval;
global_root:
namelen = dentry->d_name.len;
@@ -992,6 +995,8 @@
retval -= namelen-1; /* hit the slash */
memcpy(retval, dentry->d_name.name, namelen);
}
+ else
+ retval = ERR_PTR(-ENAMETOOLONG);
return retval;
}
@@ -1041,8 +1046,11 @@
spin_unlock(&dcache_lock);
error = -ERANGE;
+
+ if (cwd == ERR_PTR(-ENAMETOOLONG)) error = -ENAMETOOLONG;
+
len = PAGE_SIZE + page - cwd;
- if (len <= size) {
+ if (len <= size && error != -ENAMETOOLONG) {
error = len;
if (copy_to_user(buf, cwd, len))
error = -EFAULT;
--------------Boundary-00=_9JTVTG8HNGHZYPFLX1KM--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/