Re: Mysterious string truncation in 2.4.25 kernel

[Glen Nakamura]

On Tue, Mar 02, 2004 at 11:03:15PM -0500, James Morris wrote:
> I don't see how the patch could be related to the problem you are seeing.  

Thanks for the response...  I took another look and my current theory is
that the problem occurs in the following invocation of do_mount:

void __init mount_devfs_fs (void)
{
    int err;
                                                                                
    if ( !(boot_options & OPTION_MOUNT) ) return;
    if (err == 0) printk (KERN_INFO "Mounted devfs on /dev\n");
    else PRINTK ("(): unable to mount devfs, err: %d\n", err);
}   /*  End Function mount_devfs_fs  */

This call to do_mount is on line 3552 of fs/devfs/base.c and passes a const
string as the data_page parameter.  Then in do_mount in fs/namespace.c on
line 718:

	if (data_page)
		((char *)data_page)[PAGE_SIZE - 1] = 0;

The above statement zeros a byte that is out of bounds and corrupts another
string in the same section of memory.  In my build, this happens to truncate
the "serial" string to "se".

So is it really safe to simply zero the byte at [PAGE_SIZE - 1]?
The comment says "up to PAGE_SIZE-1 bytes", _not_ "exactly PAGE_SIZE-1 bytes".
It doesn't mention anything about padding, etc.

Of course, perhaps 0 should passed instead of "" for data_page?

-    err = do_mount ("none", "/dev", "devfs", 0, "");
+    err = do_mount ("none", "/dev", "devfs", 0, 0);

Comments?

- glen
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/