+ block-elevatorc-fix-block-elevatorc-elevator_get-off-by-one-error.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Thu, 01 Apr 2010 13:14:13 -0700

The patch titled
     block/elevator.c: fix block/elevator.c elevator_get() off-by-one error
has been added to the -mm tree.  Its filename is
     block-elevatorc-fix-block-elevatorc-elevator_get-off-by-one-error.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: block/elevator.c: fix block/elevator.c elevator_get() off-by-one error
From: Zhitong Wang <zhitong.wangzt@xxxxxxxxxxxxxxx>

elevator_get() does not check the name length, if the name length >
sizeof(elv), elv will miss the '\0'.  And elv buffer will replace
"-iosched" as something like aaaaaaaaa, so request_module() can
load an untrusted module.

Signed-off-by: Zhitong Wang <zhitong.wangzt@xxxxxxxxxxxxxxx>
Cc: Jens Axboe <jens.axboe@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 block/elevator.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN block/elevator.c~block-elevatorc-fix-block-elevatorc-elevator_get-off-by-one-error block/elevator.c

--- a/block/elevator.c~block-elevatorc-fix-block-elevatorc-elevator_get-off-by-one-error
+++ a/block/elevator.c
@@ -154,7 +154,7 @@ static struct elevator_type *elevator_ge
 
 		spin_unlock(&elv_list_lock);
 
-		sprintf(elv, "%s-iosched", name);
+		snprintf(elv, sizeof(elv), "%s-iosched", name);
 
 		request_module("%s", elv);
 		spin_lock(&elv_list_lock);
_

Patches currently in -mm which might be from zhitong.wangzt@xxxxxxxxxxxxxxx are

linux-next.patch
block-elevatorc-fix-block-elevatorc-elevator_get-off-by-one-error.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




