Subject: [merged] gen_init_cpio-avoid-null-pointer-dereference-and-rework-env-expanding.patch removed from -mm tree To: mina86@xxxxxxxxxx,jj@xxxxxxxxxxxxxx,jkosina@xxxxxxx,keescook@xxxxxxxxxxxx,mm-commits@xxxxxxxxxxxxxxx From: akpm@xxxxxxxxxxxxxxxxxxxx Date: Wed, 13 Nov 2013 12:39:58 -0800 The patch titled Subject: gen_init_cpio: avoid NULL pointer dereference and rework env expanding has been removed from the -mm tree. Its filename was gen_init_cpio-avoid-null-pointer-dereference-and-rework-env-expanding.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Michal Nazarewicz <mina86@xxxxxxxxxx> Subject: gen_init_cpio: avoid NULL pointer dereference and rework env expanding getenv() may return NULL if given environment variable does not exist which leads to NULL dereference when calling strncat. Besides that, the environment variable name was copied to a temporary env_var buffer, but this copying can be avoided by simply using the input string. Lastly, the whole loop can be greatly simplified by using the snprintf function instead of the playing with strncat. By the way, the current implementation allows a recursive variable expansion, as in: $ echo 'out ${A} out ' | A='a ${B} a' B=b /tmp/a out a b a out I'm assuming this is just a side effect and not a conscious decision (especially as this may lead to infinite loop), but I didn't want to change this behaviour without consulting. If the current behaviour is deamed incorrect, I'll be happy to send a patch without recursive processing. Signed-off-by: Michal Nazarewicz <mina86@xxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Jiri Kosina <jkosina@xxxxxxx> Cc: Jesper Juhl <jj@xxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- usr/gen_init_cpio.c | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff -puN usr/gen_init_cpio.c~gen_init_cpio-avoid-null-pointer-dereference-and-rework-env-expanding usr/gen_init_cpio.c --- a/usr/gen_init_cpio.c~gen_init_cpio-avoid-null-pointer-dereference-and-rework-env-expanding +++ a/usr/gen_init_cpio.c @@ -382,24 +382,15 @@ error: static char *cpio_replace_env(char *new_location) { char expanded[PATH_MAX + 1]; - char env_var[PATH_MAX + 1]; - char *start; - char *end; + char *start, *end, *var; - for (start = NULL; (start = strstr(new_location, "${")); ) { - end = strchr(start, '}'); - if (start < end) { - *env_var = *expanded = '\0'; - strncat(env_var, start + 2, end - start - 2); - strncat(expanded, new_location, start - new_location); - strncat(expanded, getenv(env_var), - PATH_MAX - strlen(expanded)); - strncat(expanded, end + 1, - PATH_MAX - strlen(expanded)); - strncpy(new_location, expanded, PATH_MAX); - new_location[PATH_MAX] = 0; - } else - break; + while ((start = strstr(new_location, "${")) && + (end = strchr(start + 2, '}'))) { + *start = *end = 0; + var = getenv(start + 2); + snprintf(expanded, sizeof expanded, "%s%s%s", + new_location, var ? var : "", end + 1); + strcpy(new_location, expanded); } return new_location; _ Patches currently in -mm which might be from mina86@xxxxxxxxxx are origin.patch linux-next.patch debugging-keep-track-of-page-owners-fix-2.patch debugging-keep-track-of-page-owners-fix-2-fix-fix.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html