rpms/kernel/FC-4 linux-2.6.15-various-fixes.patch, NONE, 1.1 kernel-2.6.spec, 1.1552, 1.1553

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Jan 4 02:41:14 UTC 2006 

Author: davej

Update of /cvs/dist/rpms/kernel/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv10122

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6.15-various-fixes.patch 
Log Message:
- Small fixes from 2.6.15
  sysctl: don't overflow the user-supplied buffer with '0'
  sysctl: make sure to terminate strings with a NUL
  Insanity avoidance in /proc



linux-2.6.15-various-fixes.patch:
 b/fs/proc/generic.c |   47 +++++++++++++++++++++++------------------------
 b/kernel/sysctl.c   |    4 +---
 kernel/sysctl.c     |   25 +++++++++++++++----------
 3 files changed, 39 insertions(+), 37 deletions(-)

--- NEW FILE linux-2.6.15-various-fixes.patch ---

tree 2e1aaa5e4e68057a4e96a606e2ad0bcccedcd6df
parent 8b90db0df7187a01fb7177f1f812123138f562cf
author Linus Torvalds <torvalds at g5.osdl.org> Sat, 31 Dec 2005 09:18:53 -0800
committer Linus Torvalds <torvalds at g5.osdl.org> Sat, 31 Dec 2005 09:18:53 -0800

sysctl: don't overflow the user-supplied buffer with '0'

If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.

Noticed by Yi Yang <yang.y.yi at gmail.com>

Signed-off-by: Linus Torvalds <torvalds at osdl.org>

 kernel/sysctl.c |    4 +---
 1 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9990e10..ad0425a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int 
 		if (get_user(len, oldlenp))
 			return -EFAULT;
 		if (len) {
-			l = strlen(table->data);
+			l = strlen(table->data)+1;
 			if (len > l) len = l;
 			if (len >= table->maxlen)
 				len = table->maxlen;
 			if(copy_to_user(oldval, table->data, len))
 				return -EFAULT;
-			if(put_user(0, ((char __user *) oldval) + len))
-				return -EFAULT;
 			if(put_user(len, oldlenp))
 				return -EFAULT;
 		}


tree ef7805d1e03e8648fbaca3713d1a749c27770339
parent 35f349ee082de0be45eb23926d9fc7569f5011f0
author Linus Torvalds <torvalds at g5.osdl.org> Sun, 01 Jan 2006 09:00:29 -0800
committer Linus Torvalds <torvalds at g5.osdl.org> Sun, 01 Jan 2006 09:00:29 -0800

sysctl: make sure to terminate strings with a NUL

This is a slightly more complete fix for the previous minimal sysctl
string fix.  It always terminates the returned string with a NUL, even
if the full result wouldn't fit in the user-supplied buffer.

The returned length is the full untruncated length, so that you can
tell when truncation has occurred.

Signed-off-by: Linus Torvalds <torvalds at osdl.org>

 kernel/sysctl.c |   25 +++++++++++++++----------
 1 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e5102ea..b53115b 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2192,27 +2192,32 @@ int sysctl_string(ctl_table *table, int 
 		  void __user *oldval, size_t __user *oldlenp,
 		  void __user *newval, size_t newlen, void **context)
 {
-	size_t l, len;
-	
 	if (!table->data || !table->maxlen) 
 		return -ENOTDIR;
 	
 	if (oldval && oldlenp) {
-		if (get_user(len, oldlenp))
+		size_t bufsize;
+		if (get_user(bufsize, oldlenp))
 			return -EFAULT;
-		if (len) {
-			l = strlen(table->data)+1;
-			if (len > l) len = l;
-			if (len >= table->maxlen)
+		if (bufsize) {
+			size_t len = strlen(table->data), copied;
+
+			/* This shouldn't trigger for a well-formed sysctl */
+			if (len > table->maxlen)
 				len = table->maxlen;
-			if(copy_to_user(oldval, table->data, len))
+
+			/* Copy up to a max of bufsize-1 bytes of the string */
+			copied = (len >= bufsize) ? bufsize - 1 : len;
+
+			if (copy_to_user(oldval, table->data, copied) ||
+			    put_user(0, (char __user *)(oldval + copied)))
 				return -EFAULT;
-			if(put_user(len, oldlenp))
+			if (put_user(len, oldlenp))
 				return -EFAULT;
 		}
 	}
 	if (newval && newlen) {
-		len = newlen;
+		size_t len = newlen;
 		if (len > table->maxlen)
 			len = table->maxlen;
 		if(copy_from_user(table->data, newval, len))


tree 8d7029403cc50d822bc22085202bfdbf6110203b
parent 40c37213a081990b1d3778f57630f97df75a7ec1
author Linus Torvalds <torvalds at g5.osdl.org> Sat, 31 Dec 2005 00:39:10 -0800
committer Linus Torvalds <torvalds at g5.osdl.org> Sat, 31 Dec 2005 00:39:10 -0800

Insanity avoidance in /proc

The old /proc interfaces were never updated to use loff_t, and are just
generally broken.  Now, we should be using the seq_file interface for
all of the proc files, but converting the legacy functions is more work
than most people care for and has little upside..

But at least we can make the non-LFS rules explicit, rather than just
insanely wrapping the offset or something.

Signed-off-by: Linus Torvalds <torvalds at osdl.org>

 fs/proc/generic.c |   47 +++++++++++++++++++++++------------------------
 1 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/fs/proc/generic.c b/fs/proc/generic.c
index b638fb5..72b431d 100644
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -54,6 +54,18 @@ proc_file_read(struct file *file, char _
 	ssize_t	n, count;
 	char	*start;
 	struct proc_dir_entry * dp;
+	unsigned long long pos;
+
+	/*
+	 * Gaah, please just use "seq_file" instead. The legacy /proc
+	 * interfaces cut loff_t down to off_t for reads, and ignore
+	 * the offset entirely for writes..
+	 */
+	pos = *ppos;
+	if (pos > MAX_NON_LFS)
+		return 0;
+	if (nbytes > MAX_NON_LFS - pos)
+		nbytes = MAX_NON_LFS - pos;
 
 	dp = PDE(inode);
 	if (!(page = (char*) __get_free_page(GFP_KERNEL)))
@@ -202,30 +214,17 @@ proc_file_write(struct file *file, const
 static loff_t
 proc_file_lseek(struct file *file, loff_t offset, int orig)
 {
-    lock_kernel();
-
-    switch (orig) {
-    case 0:
-	if (offset < 0)
-	    goto out;
-	file->f_pos = offset;
-	unlock_kernel();
-	return(file->f_pos);
-    case 1:
-	if (offset + file->f_pos < 0)
-	    goto out;
-	file->f_pos += offset;
-	unlock_kernel();
-	return(file->f_pos);
-    case 2:
-	goto out;
-    default:
-	goto out;
-    }
-
-out:
-    unlock_kernel();
-    return -EINVAL;
+	loff_t retval = -EINVAL;
+	switch (orig) {
+	case 1:
+		offset += file->f_pos;
+	/* fallthrough */
+	case 0:
+		if (offset < 0 || offset > MAX_NON_LFS)
+			break;
+		file->f_pos = retval = offset;
+	}
+	return retval;
 }
 
 static int proc_notify_change(struct dentry *dentry, struct iattr *iattr)



Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-4/kernel-2.6.spec,v
retrieving revision 1.1552
retrieving revision 1.1553
diff -u -r1.1552 -r1.1553
--- kernel-2.6.spec	3 Jan 2006 13:59:11 -0000	1.1552
+++ kernel-2.6.spec	4 Jan 2006 02:41:11 -0000	1.1553
@@ -203,6 +203,7 @@
 # Patches 0 through 100 are meant for core subsystem upgrades
 #
 Patch1: patch-2.6.14.5.bz2
+Patch2: linux-2.6.15-various-fixes.patch
 
 # Patches 100 through 500 are meant for architecture patches
 Patch100: linux-2.6-bzimage.patch
@@ -544,6 +545,7 @@
 cd linux-%{kversion}
 
 %patch1 -p1
+%patch2 -p1
 
 #
 # Patches 10 through 100 are meant for core subsystem upgrades
@@ -1277,7 +1279,13 @@
 %endif
 
 %changelog
-* Sun Jan  1 2006 Dave Jones <davej at redhat.com> [2.6.14-1.1655_FC4]
+* Tue Jan  3 2006 Dave Jones <davej at redhat.com> [2.6.14-1.1655_FC4]
+- Small fixes from 2.6.15
+  sysctl: don't overflow the user-supplied buffer with '0'
+  sysctl: make sure to terminate strings with a NUL
+  Insanity avoidance in /proc
+
+* Sun Jan  1 2006 Dave Jones <davej at redhat.com>
 - Fix the ACPI whitelist date again.
 
 * Wed Dec 28 2005 Dave Jones <davej at redhat.com>

More information about the fedora-cvs-commits mailing list