Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[PATCH] Block: Fix block/elevator.c elevator_get() off-by-one error

3 views
Skip to first unread message

wzt...@gmail.com

unread,
Mar 29, 2010, 9:30:02 PM3/29/10
to
elevator_get() not check the name length, if the name length > sizeof(elv),
elv will miss the '\0'. And elv buffer will be replace "-iosched" as something
like aaaaaaaaa, then call request_module() can load an not trust module.

Signed-off-by: Zhitong Wang <zhitong...@alibaba-inc.com>

---
block/elevator.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/elevator.c b/block/elevator.c
index df75676..76e3702 100644
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name)

spin_unlock(&elv_list_lock);

- sprintf(elv, "%s-iosched", name);
+ snprintf(elv, sizeof(elv), "%s-iosched", name);

request_module("%s", elv);
spin_lock(&elv_list_lock);
--
1.6.5.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Jens Axboe

unread,
Apr 2, 2010, 2:50:02 AM4/2/10
to
On Tue, Mar 30 2010, wzt...@gmail.com wrote:
> elevator_get() not check the name length, if the name length > sizeof(elv),
> elv will miss the '\0'. And elv buffer will be replace "-iosched" as something
> like aaaaaaaaa, then call request_module() can load an not trust module.

Thanks, good catch! Applied.


--
Jens Axboe

Xiaotian Feng

unread,
Apr 2, 2010, 3:20:01 AM4/2/10
to
On Tue, Mar 30, 2010 at 5:21 PM, <wzt...@gmail.com> wrote:
> elevator_get() not check the name length, if the name length > sizeof(elv),
> elv will miss the '\0'. And elv buffer will be replace "-iosched" as something
> like aaaaaaaaa, then call request_module() can load an not trust module.
>
> Signed-off-by: Zhitong Wang <zhitong...@alibaba-inc.com>
>
> ---
>  block/elevator.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/block/elevator.c b/block/elevator.c
> index df75676..76e3702 100644
> --- a/block/elevator.c
> +++ b/block/elevator.c
> @@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name)
>
>                spin_unlock(&elv_list_lock);
>
> -               sprintf(elv, "%s-iosched", name);
> +               snprintf(elv, sizeof(elv), "%s-iosched", name);
>

elv is defined as char elv[ELV_NAME_MAX + strlen("-iosched")];
so if name length > sizeof(elv), the name length must already bigger
than ELV_NAME_MAX

elevator_get is used in elevator_init, so if elevator_init is passing
a super long name, why not just return -EINVAL?
In this patch, if we pass a super long name, we're still trying to cut
it and request_module an invalid name, right?
Although '\0' is kept, but name is still invalid, right?

0 new messages