http://bugzilla.kernel.org/show_bug.cgi?id=14998
--- Comment #15 from Christian Casteyde <casteyde.christ...@free.fr>
2010-01-31 10:52:41 ---
It was quite long due to slow boots with kmemcheck, but I managed to bisect it.
I strictly don't understand why this commit causes the bug, more related to
/proc fs or vfs than to acpi apparently:
eca6f534e61919b28fb21aafbd1c2983deae75be is first bad commit
commit eca6f534e61919b28fb21aafbd1c2983deae75be
Author: Vegard Nossum <vegard.nos...@gmail.com>
Date: Fri Sep 18 13:05:45 2009 -0700
fs: fix overflow in sys_mount() for in-kernel calls
sys_mount() reads/copies a whole page for its "type" parameter. When
do_mount_root() passes a kernel address that points to an object which is
smaller than a whole page, copy_mount_options() will happily go past this
memory object, possibly dereferencing "wild" pointers that could be in any
state (hence the kmemcheck warning, which shows that parts of the next
page are not even allocated).
(The likelihood of something going wrong here is pretty low -- first of
all this only applies to kernel calls to sys_mount(), which are mostly
found in the boot code. Secondly, I guess if the page was not mapped,
exact_copy_from_user() _would_ in fact handle it correctly because of its
access_ok(), etc. checks.)
But it is much nicer to avoid the dubious reads altogether, by stopping as
soon as we find a NUL byte. Is there a good reason why we can't do
something like this, using the already existing strndup_from_user()?
[a...@linux-foundation.org: make copy_mount_string() static]
[AV: fix compat mount breakage, which involves undoing akpm's change above]
Reported-by: Ingo Molnar <mi...@elte.hu>
Signed-off-by: Vegard Nossum <vegard.nos...@gmail.com>
Cc: Al Viro <v...@zeniv.linux.org.uk>
Cc: Pekka Enberg <penb...@cs.helsinki.fi>
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
Signed-off-by: al <a...@dizzy.pdmi.ras.ru>
:040000 040000 a89bfba8d50e5dfc6e77696d93cd772cd0ffacf3
9a3066b7678c117ea08efaf15fe558a63ccbda61 M fs
I append the git bisect log.
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
acpi-bugzilla mailing list
acpi-bugzilla@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acpi-bugzilla
