Re: [PATCH] Fix user data corrupted by old value return of sysctl

From: YOSHIFUJI Hideaki / 吉藤英明
Date: Sat Dec 31 2005 - 06:46:00 EST


Hello.

In article <Pine.LNX.4.64.0512300916220.3249@xxxxxxxxxxx> (at Fri, 30 Dec 2005 09:25:35 -0800 (PST)), Linus Torvalds <torvalds@xxxxxxxx> says:

> On Fri, 30 Dec 2005, Yi Yang wrote:
> >
> > If the user reads a sysctl entry which is of string type
> > by sysctl syscall, this call probably corrupts the user data
> > right after the old value buffer, the issue lies in sysctl_string
> > seting 0 to oldval[len], len is the available buffer size
> > specified by the user, obviously, this will write to the first
> > byte of the user memory place immediate after the old value buffer,
> > the correct way is that sysctl_string doesn't set 0, the user
> > should do it by self in the program.
:
> We _should_ zero-pad the data, at least if the result fits in the buffer.
:
> But even that is questionable: one alternative is to always zero-pad (like
> we used to), but make sure that the buffer size is sufficient for it (ie
> instead of adding one to the length of the string, we'd subtract one from
> the buffer length and make sure that the '\0' fits..

How about returning -ENOMEM, as BSDs (FreeBSD and NetBSD
at least) do. No?

--yoshfuji
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/