On Fri, Dec 26, 2008 at 04:00:56PM +0900, Tetsuo Handa wrote:
>Hello.
>
>Am�$(D+1rico Wang wrote:
>> How about going to the line:
>>
>> current->fsuid = fsuid;
>>
>> ? Because when argv_split() fails, helper_argv is NULL and doesn't need
>> to be checked again.
>
>I didn't understand what you say. I'm saying that
>"do_coredump() may accesss helper_argv[0] when helper_argv == NULL",
>which will result in "NULL pointer dereference" problem.
>Yes, this problem unlikely happens. Thus,
>
>if (!helper_argv)
> goto fail_unlock;
>
>may be enough.
>
Yes, goto fail_unlock will go to this line:
if (helper_argv)
argv_free(helper_argv);
but in this situation, helper_argv is known as NULL, thus another
check doesn't need. So we can go to the line below, i.e.
fail_unlock:
if (helper_argv)
argv_free(helper_argv);
current->fsuid = fsuid; //<=== goto this line
coredump_finish(mm);
You need to add a new label, of course. :)
--
"Against stupidity, the gods themselves, contend in vain."
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
