mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
eca6f534e6
sys_mount() reads/copies a whole page for its "type" parameter. When do_mount_root() passes a kernel address that points to an object which is smaller than a whole page, copy_mount_options() will happily go past this memory object, possibly dereferencing "wild" pointers that could be in any state (hence the kmemcheck warning, which shows that parts of the next page are not even allocated). (The likelihood of something going wrong here is pretty low -- first of all this only applies to kernel calls to sys_mount(), which are mostly found in the boot code. Secondly, I guess if the page was not mapped, exact_copy_from_user() _would_ in fact handle it correctly because of its access_ok(), etc. checks.) But it is much nicer to avoid the dubious reads altogether, by stopping as soon as we find a NUL byte. Is there a good reason why we can't do something like this, using the already existing strndup_from_user()? [akpm@linux-foundation.org: make copy_mount_string() static] [AV: fix compat mount breakage, which involves undoing akpm's change above] Reported-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: al <al@dizzy.pdmi.ras.ru>
86 lines
1.9 KiB
C
86 lines
1.9 KiB
C
/* fs/ internal definitions
|
|
*
|
|
* Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
struct super_block;
|
|
struct linux_binprm;
|
|
struct path;
|
|
|
|
/*
|
|
* block_dev.c
|
|
*/
|
|
#ifdef CONFIG_BLOCK
|
|
extern struct super_block *blockdev_superblock;
|
|
extern void __init bdev_cache_init(void);
|
|
|
|
static inline int sb_is_blkdev_sb(struct super_block *sb)
|
|
{
|
|
return sb == blockdev_superblock;
|
|
}
|
|
|
|
extern int __sync_blockdev(struct block_device *bdev, int wait);
|
|
|
|
#else
|
|
static inline void bdev_cache_init(void)
|
|
{
|
|
}
|
|
|
|
static inline int sb_is_blkdev_sb(struct super_block *sb)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline int __sync_blockdev(struct block_device *bdev, int wait)
|
|
{
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* char_dev.c
|
|
*/
|
|
extern void __init chrdev_init(void);
|
|
|
|
/*
|
|
* exec.c
|
|
*/
|
|
extern int check_unsafe_exec(struct linux_binprm *);
|
|
|
|
/*
|
|
* namespace.c
|
|
*/
|
|
extern int copy_mount_options(const void __user *, unsigned long *);
|
|
extern int copy_mount_string(const void __user *, char **);
|
|
|
|
extern void free_vfsmnt(struct vfsmount *);
|
|
extern struct vfsmount *alloc_vfsmnt(const char *);
|
|
extern struct vfsmount *__lookup_mnt(struct vfsmount *, struct dentry *, int);
|
|
extern void mnt_set_mountpoint(struct vfsmount *, struct dentry *,
|
|
struct vfsmount *);
|
|
extern void release_mounts(struct list_head *);
|
|
extern void umount_tree(struct vfsmount *, int, struct list_head *);
|
|
extern struct vfsmount *copy_tree(struct vfsmount *, struct dentry *, int);
|
|
|
|
extern void __init mnt_init(void);
|
|
|
|
/*
|
|
* fs_struct.c
|
|
*/
|
|
extern void chroot_fs_refs(struct path *, struct path *);
|
|
|
|
/*
|
|
* file_table.c
|
|
*/
|
|
extern void mark_files_ro(struct super_block *);
|
|
|
|
/*
|
|
* super.c
|
|
*/
|
|
extern int do_remount_sb(struct super_block *, int, void *, int);
|