+ fix-count-compat_count-bounds-checking.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Fri, 19 Sep 2008 14:43:37 -0700

The patch titled
     exec.c, compat.c: fix count(), compat_count() bounds checking
has been added to the -mm tree.  Its filename is
     fix-count-compat_count-bounds-checking.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://userweb.kernel.org/~akpm/added-to-mm.txt to find
out what to do about this

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: exec.c, compat.c: fix count(), compat_count() bounds checking
From: Jason Baron <jbaron@xxxxxxxxxx>

With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()' and
compat_count(), it would appear that the current max bounds check of
fs/exec.c:394:

	if(++i > max)
		return -E2BIG;

would never trigger. Since 'i' is of type int, so values would wrap and the
function would continue looping.

Simple fix seems to be chaning ++i to i++ and checking for '>='.

Signed-off-by: Jason Baron <jbaron@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/compat.c |    2 +-
 fs/exec.c   |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff -puN fs/compat.c~fix-count-compat_count-bounds-checking fs/compat.c

--- a/fs/compat.c~fix-count-compat_count-bounds-checking
+++ a/fs/compat.c
@@ -1239,7 +1239,7 @@ static int compat_count(compat_uptr_t __
 			if (!p)
 				break;
 			argv++;
-			if(++i > max)
+			if (i++ >= max)
 				return -E2BIG;
 		}
 	}
diff -puN fs/exec.c~fix-count-compat_count-bounds-checking fs/exec.c
--- a/fs/exec.c~fix-count-compat_count-bounds-checking
+++ a/fs/exec.c
@@ -391,7 +391,7 @@ static int count(char __user * __user * 
 			if (!p)
 				break;
 			argv++;
-			if(++i > max)
+			if (i++ >= max)
 				return -E2BIG;
 			cond_resched();
 		}
_

Patches currently in -mm which might be from jbaron@xxxxxxxxxx are

linux-next.patch
fix-count-compat_count-bounds-checking.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




