On Tuesday, July 11, 2017 7:34:21 PM IST Chandan Rajendra wrote:
> On ppc64, When a non-nul terminated string is passed as an argument to
> the mount(2) syscall, copy_mount_string() ends up allocating 64k (the
> PAGE_SIZE on ppc64) worth of space for holding the string in kernel's
> address space.
>
> Later, in set_precision() (invoked indirectly by get_fs_type()), we end
> up assigning 65535 as the value to 'struct printf_spec'->precision
> member. This field has a width of 16 bits and also it is signed data
> type. Hence an invalid value ends up getting assigned. This causes the
> "WARN_ONCE(spec->precision != prec, "precision %d too large", prec)"
> statement inside set_precision() to be executed.
>
> This commit fixes the bug by validating the length of the "filesystem
> type" argument passed to get_fs_type() function.
>
> Signed-off-by: Chandan Rajendra <chandan@xxxxxxxxxxxxxxxxxx>
> Reported-by: Abdul Haleem <abdhalee@xxxxxxxxxxxxxxxxxx>
> Suggested-by: Joe Perches <joe@xxxxxxxxxxx>
> ---
> Changelog:
> v1->v2: Fix commit message.
>
> fs/filesystems.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/filesystems.c b/fs/filesystems.c
> index a920ad2..8e309d3 100644
> --- a/fs/filesystems.c
> +++ b/fs/filesystems.c
> @@ -275,6 +275,9 @@ struct file_system_type *get_fs_type(const char *name)
> const char *dot = strchr(name, '.');
> int len = dot ? dot - name : strlen(name);
>
> + if (len >= PATH_MAX)
> + return NULL;
> +
> fs = __get_fs_type(name, len);
> if (!fs && (request_module("fs-%.*s", len, name) == 0)) {
> fs = __get_fs_type(name, len);
>
Hi Al Viro,
Can you please let me know if you have any review comments about this patch.
--
chandan
