On Wed, 21 Feb 2018 22:53:40 +0300 Alexey Dobriyan <[email protected]> wrote:
> I totally forgot that _parse_integer() accepts arbitrary amount of > leading zeroes leading to the following: > > OK > # readlink /proc/1/map_files/56427ecba000-56427eddc000 > /lib/systemd/systemd > > bogus > # readlink /proc/1/map_files/00000000000056427ecba000-56427eddc000 > /lib/systemd/systemd > # readlink /proc/1/map_files/56427ecba000-00000000000056427eddc000 > /lib/systemd/systemd > > ... > > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -1916,6 +1916,8 @@ static int dname_to_vma_addr(struct dentry *dentry, > unsigned long long sval, eval; > unsigned int len; > > + if (str[0] == '0' && str[1]) > + return -EINVAL; > len = _parse_integer(str, 16, &sval); > if (len & KSTRTOX_OVERFLOW) > return -EINVAL; > @@ -1927,6 +1929,8 @@ static int dname_to_vma_addr(struct dentry *dentry, > return -EINVAL; > str++; > > + if (str[0] == '0' && str[1]) > + return -EINVAL; > len = _parse_integer(str, 16, &eval); > if (len & KSTRTOX_OVERFLOW) > return -EINVAL; I don't know this code and I'm all confused. - why is the code designed to accept addresses of "0"? - how do we know that the first digit of a VMA address will never be 0?
