linux-sg2042/fs
Vegard Nossum eca6f534e6 fs: fix overflow in sys_mount() for in-kernel calls
sys_mount() reads/copies a whole page for its "type" parameter.  When
do_mount_root() passes a kernel address that points to an object which is
smaller than a whole page, copy_mount_options() will happily go past this
memory object, possibly dereferencing "wild" pointers that could be in any
state (hence the kmemcheck warning, which shows that parts of the next
page are not even allocated).

(The likelihood of something going wrong here is pretty low -- first of
all this only applies to kernel calls to sys_mount(), which are mostly
found in the boot code.  Secondly, I guess if the page was not mapped,
exact_copy_from_user() _would_ in fact handle it correctly because of its
access_ok(), etc.  checks.)

But it is much nicer to avoid the dubious reads altogether, by stopping as
soon as we find a NUL byte.  Is there a good reason why we can't do
something like this, using the already existing strndup_from_user()?

[akpm@linux-foundation.org: make copy_mount_string() static]
[AV: fix compat mount breakage, which involves undoing akpm's change above]

Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: al <al@dizzy.pdmi.ras.ru>
2009-09-24 08:40:15 -04:00
..
9p 9p: Add fscache support to 9p 2009-09-23 13:03:46 -05:00
adfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
affs affs: add ->sync_fs 2009-06-11 21:36:14 -04:00
afs seq_file: constify seq_operations 2009-09-23 07:39:29 -07:00
autofs trivial: remove unnecessary semicolons 2009-09-21 15:14:58 +02:00
autofs4 autofs4 - fix missed case when changing to use struct path 2009-08-31 17:44:05 -10:00
befs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
bfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
btrfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-09-22 07:51:45 -07:00
cachefiles enforce ->sync_fs is only called for rw superblock 2009-06-11 21:36:06 -04:00
cifs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
coda splice: implement default splice_read method 2009-05-11 14:13:10 +02:00
configfs writeback: add name to backing_dev_info 2009-09-11 09:20:26 +02:00
cramfs
debugfs debugfs: use specified mode to possibly mark files read/write only 2009-06-15 21:30:28 -07:00
devpts Move magic numbers into magic.h 2009-09-23 07:39:28 -07:00
dlm seq_file: constify seq_operations 2009-09-23 07:39:29 -07:00
ecryptfs const: mark remaining address_space_operations const 2009-09-22 07:17:24 -07:00
efs get rid of BKL in fs/efs 2009-06-17 00:36:36 -04:00
exofs exofs: remove BKL from super operations 2009-09-24 07:47:38 -04:00
exportfs
ext2 ext2: fix format string compile warning (ino_t) 2009-09-23 07:39:58 -07:00
ext3 const: make struct super_block::s_qcop const 2009-09-22 07:17:24 -07:00
ext4 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-09-22 07:51:45 -07:00
fat fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
freevxfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
fscache FS-Cache: Fixup renamed filenames in comments in internal.h 2009-05-27 10:20:13 -07:00
fuse Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse 2009-09-18 09:23:03 -07:00
gfs2 headers: utsname.h redux 2009-09-23 18:13:10 -07:00
hfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
hfsplus fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
hostfs hostfs: set maximum filesize in superblock for proper LFS support 2009-06-30 18:56:03 -07:00
hpfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
hppfs
hugetlbfs vfs: split generic_forget_inode() so that hugetlbfs does not have to copy it 2009-09-24 07:47:25 -04:00
isofs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
jbd jbd: Annotate transaction start also for journal_restart() 2009-09-16 17:44:10 +02:00
jbd2 seq_file: constify seq_operations 2009-09-23 07:39:29 -07:00
jffs2 Merge git://git.infradead.org/mtd-2.6 2009-09-23 10:07:49 -07:00
jfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
lockd headers: utsname.h redux 2009-09-23 18:13:10 -07:00
minix V3 minixfs: add missing directory type checking 2009-09-23 07:39:57 -07:00
ncpfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
nfs headers: utsname.h redux 2009-09-23 18:13:10 -07:00
nfs_common
nfsd headers: utsname.h redux 2009-09-23 18:13:10 -07:00
nilfs2 const: mark remaining inode_operations as const 2009-09-22 07:17:24 -07:00
nls fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
notify inotify: update the group mask on mark addition 2009-08-28 12:51:14 -04:00
ntfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
ocfs2 headers: utsname.h redux 2009-09-23 18:13:10 -07:00
omfs const: mark remaining inode_operations as const 2009-09-22 07:17:24 -07:00
openpromfs
partitions const: make block_device_operations const 2009-09-22 07:17:25 -07:00
proc /proc/kcore: update stat.st_size after memory hotplug 2009-09-23 07:39:42 -07:00
qnx4 qnx4: remove write support 2009-09-23 07:39:30 -07:00
quota const: make struct super_block::s_qcop const 2009-09-22 07:17:24 -07:00
ramfs ramfs: move RAMFS_MAGIC to include/linux/magic.h 2009-09-23 07:39:42 -07:00
reiserfs const: make struct super_block::s_qcop const 2009-09-22 07:17:24 -07:00
romfs fs/romfs: correct error-handling code 2009-09-24 07:47:37 -04:00
smbfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
squashfs const: mark remaining super_operations const 2009-09-22 07:17:24 -07:00
sysfs Merge branch 'writeback' of git://git.kernel.dk/linux-2.6-block 2009-09-11 09:17:05 -07:00
sysv get rid of BKL in fs/sysv 2009-06-17 00:36:37 -04:00
ubifs const: mark remaining address_space_operations const 2009-09-22 07:17:24 -07:00
udf udf: Fix possible corruption when close races with write 2009-09-14 19:13:01 +02:00
ufs ufs: sector_t cannot be negative 2009-06-18 13:03:46 -07:00
xfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-09-22 07:51:45 -07:00
Kconfig tmpfs: depend on shmem 2009-09-22 07:17:41 -07:00
Kconfig.binfmt
Makefile nilfs2: update makefile and Kconfig 2009-04-07 08:31:16 -07:00
aio.c aio.c: move EXPORT* macros to line after function 2009-09-23 07:39:29 -07:00
anon_inodes.c anonfd: split interface into file creation and install 2009-09-23 07:39:29 -07:00
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c mm: add get_dump_page 2009-09-22 07:17:40 -07:00
binfmt_elf_fdpic.c mm: add get_dump_page 2009-09-22 07:17:40 -07:00
binfmt_em86.c
binfmt_flat.c flat: fix uninitialized ptr with shared libs 2009-08-07 10:39:57 -07:00
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c block: Create bip slabs with embedded integrity vectors 2009-07-01 10:56:25 +02:00
bio.c block: fix sg SG_DXFER_TO_FROM_DEV regression 2009-07-10 20:31:53 +02:00
block_dev.c freeze_bdev: grab active reference to frozen superblocks 2009-09-24 07:47:41 -04:00
buffer.c fs/buffer.c: clean up EXPORT* macros 2009-09-23 07:39:29 -07:00
char_dev.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 2009-09-11 09:19:35 -07:00
compat.c fs: fix overflow in sys_mount() for in-kernel calls 2009-09-24 08:40:15 -04:00
compat_binfmt_elf.c
compat_ioctl.c compat_ioctl: hook up compat handler for FIEMAP ioctl 2009-08-07 10:39:56 -07:00
dcache.c sched: Pull up the might_sleep() check into cond_resched() 2009-07-18 15:51:44 +02:00
dcookies.c
direct-io.c block: Do away with the notion of hardsect_size 2009-05-22 23:22:54 +02:00
drop_caches.c mm: remove __invalidate_mapping_pages variant 2009-06-16 19:47:43 -07:00
eventfd.c anonfd: split interface into file creation and install 2009-09-23 07:39:29 -07:00
eventpoll.c epoll: fix nested calls support 2009-06-18 13:03:41 -07:00
exec.c procfs: provide stack information for threads 2009-09-23 07:39:41 -07:00
fcntl.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
fifo.c
file.c
file_table.c fs: move mark_files_ro into file_table.c 2009-06-11 21:36:02 -04:00
filesystems.c fs: Mark get_filesystem_list() as __init function. 2009-04-20 23:02:52 -04:00
fs-writeback.c writeback: fix possible bdi writeback refcounting problem 2009-09-16 15:18:53 +02:00
fs_struct.c
generic_acl.c
inode.c vfs: optimize touch_time() too 2009-09-24 07:47:27 -04:00
internal.h fs: fix overflow in sys_mount() for in-kernel calls 2009-09-24 08:40:15 -04:00
ioctl.c vfs: explicitly cast s_maxbytes in fiemap_check_ranges 2009-09-24 07:47:31 -04:00
ioprio.c
libfs.c libfs: return error code on failed attr set 2009-09-24 07:47:30 -04:00
locks.c const: make lock_manager_operations const 2009-09-22 07:17:25 -07:00
mbcache.c
mpage.c ext4: Properly initialize the buffer_head state 2009-05-13 15:13:42 -04:00
namei.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 2009-09-11 08:55:49 -07:00
namespace.c fs: fix overflow in sys_mount() for in-kernel calls 2009-09-24 08:40:15 -04:00
nfsctl.c
no-block.c
open.c fs: change sys_truncate length parameter type 2009-09-23 09:21:05 -07:00
pipe.c lockdep: Fix lockdep annotation for pipe_double_lock() 2009-07-22 21:14:14 +02:00
pnode.c
pnode.h
posix_acl.c
read_write.c vfs: remove redundant position check in do_sendfile 2009-09-24 07:47:34 -04:00
read_write.h
readdir.c
select.c poll/select: avoid arithmetic overflow in __estimate_accuracy() 2009-09-23 07:39:27 -07:00
seq_file.c vfs: seq_file: add helpers for data filling 2009-09-24 07:47:35 -04:00
signalfd.c
splice.c Merge branch 'for-2.6.32' of git://git.kernel.dk/linux-2.6-block 2009-09-14 17:55:15 -07:00
stack.c
stat.c kill vfs_stat_fd / vfs_lstat_fd 2009-04-20 23:02:52 -04:00
super.c freeze_bdev: grab active reference to frozen superblocks 2009-09-24 07:47:41 -04:00
sync.c fs/buffer.c: clean up EXPORT* macros 2009-09-23 07:39:29 -07:00
timerfd.c
utimes.c
xattr.c VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx. 2009-09-10 10:11:22 +10:00
xattr_acl.c