On Thu, Aug 04, 2016 at 09:18:19PM +0900, Tetsuo Handa wrote:
> On 2016/08/04 6:48, Nicholas Krause wrote:
> > This fixes a kmemleak leak warning complaining about working on
> > unitializied memory as found in the function, getname_flages. Seems
> > that we are indeed working on unitialized memory, as the filename
> > char pointer is never made to point to the filname structure's result
> > member for holding it's name, fix this by using memcpy to copy the
> > filname structure pointer's, name to the char pointer passed to this
> > function.
> >
> > Signed-off-by: Nicholas Krause <xerofoify@xxxxxxxxx>
> > ---
> > fs/namei.c | 1 +
> > mm/early_ioremap.c | 1 +
> > 2 files changed, 2 insertions(+)
> >
> > diff --git a/fs/namei.c b/fs/namei.c
> > index c386a32..6b18d57 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -196,6 +196,7 @@ getname_flags(const char __user *filename, int flags, int *empty)
> > }
> > }
> >
> > + memcpy((char *)result->name, filename, len);
>
> This filename is a __user pointer. Reading with memcpy() is not safe.
Don't feed the troll. On all paths leading to that place we have
result->name = kname;
len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
or
result->name = kname;
len = strncpy_from_user(kname, filename, PATH_MAX);
with failure exits taken if strncpy_from_user() returns an error, which means
that the damn thing has already been copied into.
FWIW, it looks a lot like buggered kmemcheck; as usual, he can't be bothered
to mention which kernel version would it be (let alone how to reproduce it
on the kernel in question), but IIRC davej had run into some instrumentation
breakage lately.
Again, don't feed the troll - you are only inviting an "improved" version
of that garbage, just as pointless.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>