Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()

• Previous message: Jan Engelhardt: "Re: Concurrent access to /dev/urandom"
• Next in thread: Chris Wright: "Re: Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()"
• Reply: Chris Wright: "Re: Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: linux-kernel <linux-kernel@vger.kernel.org>
Date:	Mon, 29 Nov 2004 20:05:20 -0800

struct task_struct.comm is defined to be 16 chars, but
arch/x86_64/sys_ia32.c:sys32_ni_syscall() copies it into a static 8 byte
buffer, which will surely cause problems. This patch makes lastcomm[]
the right size, and makes sure it can't be overrun. Since the code also
goes to the effort of getting a local copy of current in "me", we may as
well use it for printing the message.

Patch is against 2.6.10-rc2-mm3.

        J

 arch/x86_64/ia32/sys_ia32.c | 11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff -puN arch/x86_64/ia32/sys_ia32.c~short-comm-string arch/x86_64/ia32/sys_ia32.c
--- local-2.6/arch/x86_64/ia32/sys_ia32.c~short-comm-string 2004-11-29 19:51:02.922621617 -0800
+++ local-2.6-jeremy/arch/x86_64/ia32/sys_ia32.c 2004-11-29 19:52:43.493561830 -0800
@@ -525,11 +525,12 @@ sys32_waitpid(compat_pid_t pid, unsigned
 int sys32_ni_syscall(int call)
 {
         struct task_struct *me = current;
- static char lastcomm[8];
- if (strcmp(lastcomm, me->comm)) {
- printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
- current->comm);
- strcpy(lastcomm, me->comm);
+ static char lastcomm[sizeof(me->comm)];
+
+ if (strncmp(lastcomm, me->comm, sizeof(lastcomm))) {
+ printk(KERN_INFO "IA32 syscall %d from %s not implemented\n", call,
+ me->comm);
+ strncpy(lastcomm, me->comm, sizeof(lastcomm));
         }
         return -ENOSYS;
 }

_

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Previous message: Jan Engelhardt: "Re: Concurrent access to /dev/urandom"
• Next in thread: Chris Wright: "Re: Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()"
• Reply: Chris Wright: "Re: Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: [PATCH] PPC64: lockfix for rtas error log ... > forward it to the main 2.6 kernel maintainers. ... > This patch moves the location of a lock in order to protect ... a race existed whereby the buffer ... To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ ... (Linux-Kernel) [PATCH] PPC64: lockfix for rtas error log ... forward it to the main 2.6 kernel maintainers. ... This patch moves the location of a lock in order to protect ... a race existed whereby the buffer ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) [PATCH] add sysfs attribute carrier for net devices - try 2. ... since buffer is PAGESIZE. ... Here's a second try at a patch to properly implement a 'carrier' sysfs ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] CDRW packet writing support for 2.6.7-bk13 ... The patch below fixes it. ... buffer = disk_name; ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [Patch] dma_sync_to_device ... > mappings before giving the buffer back to the device. ... > patch which you liked IIRC. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)