Commit 8c42b547 authored by Kirill Korotaev's avatar Kirill Korotaev Committed by Linus Torvalds

[PATCH] 4/4GB: Incorrect bound check in do_getname()

This patch fixes incorrect address range check in do_getname().
Theoretically this can lead to do_getname() failure on kernel address space
string on the TASK_SIZE boundary addresses when 4GB split is ON.

(akpm: I don't see why this check exists at all, actually.  afaict the only
effect of removing it is that we'll then generate -EFAULT on a
non-null-terminated pathname which ends exactly at TASK_SIZE).
Signed-Off-By: default avatarKirill Korotaev <dev@sw.ru>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent b6a6107a
......@@ -116,13 +116,14 @@ static inline int do_getname(const char __user *filename, char *page)
int retval;
unsigned long len = PATH_MAX;
if ((unsigned long) filename >= TASK_SIZE) {
if (!segment_eq(get_fs(), KERNEL_DS))
if (!segment_eq(get_fs(), KERNEL_DS)) {
if ((unsigned long) filename >= TASK_SIZE)
return -EFAULT;
} else if (TASK_SIZE - (unsigned long) filename < PATH_MAX)
if (TASK_SIZE - (unsigned long) filename < PATH_MAX)
len = TASK_SIZE - (unsigned long) filename;
}
retval = strncpy_from_user((char *)page, filename, len);
retval = strncpy_from_user(page, filename, len);
if (retval > 0) {
if (retval < len)
return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment