Commit:     321bcf92163038e2b96fd3bf9bc29f755c81d9ef
Parent:     b68680e4731abbd78863063aaa0dca2a6d8cc723
Author:     J. Bruce Fields <[EMAIL PROTECTED]>
AuthorDate: Sun Oct 21 16:41:38 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Mon Oct 22 08:13:18 2007 -0700

    dcache: don't expose uninitialized memory in /proc/<pid>/fd/<fd>
    Well, it's not especially important that target->d_iname get the contents
    of dentry->d_iname, but it's important that it get initialized with
    *something*, otherwise we're just exposing some random piece of memory to
    anyone who reads the link at /proc/<pid>/fd/<fd> for the deleted file, when
    it's still held open by someone.
    I've run a test program that copies a short (<36 character) name ontop of a
    long (>=36 character) name and see that the first time I run it, without
    this patch, I get unpredicatable results out of /proc/<pid>/fd/<fd>.
    Signed-off-by: J. Bruce Fields <[EMAIL PROTECTED]>
    Cc: Al Viro <[EMAIL PROTECTED]>
    Cc: Christoph Hellwig <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
 fs/dcache.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 2bb3f7a..d9ca1e5 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1479,6 +1479,8 @@ static void switch_names(struct dentry *dentry, struct 
dentry *target)
                         * dentry:internal, target:external.  Steal target's
                         * storage and make target internal.
+                       memcpy(target->d_iname, dentry->,
+                                       dentry->d_name.len + 1);
                        dentry-> = target->;
                        target-> = target->d_iname;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to