Re: [PATCH 1/1] initramfs: strcpy destination string overflow
From: H. Peter Anvin
Date: Tue Oct 05 2010 - 12:01:36 EST
On 10/05/2010 08:55 AM, Linus Torvalds wrote:
> On Tue, Oct 5, 2010 at 1:44 AM, Evgeny Kuznetsov
> <EXT-Eugeny.Kuznetsov@xxxxxxxxx> wrote:
>> From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@xxxxxxxxx>
>>
>> Function "strcpy()" is used without check for maximum allowed
>> source string length and could cause destination string overflow.
>> "strcpy()" is replaced by "strlcpy()" to prevent destination
>> string overflow.
>
> I think this is wrong.
>
> If the name is too long to fit in the hash table, we should not create
> a new hash entry at all, because we'd be returning the wrong
> (truncated) name when we find it next time.
>
> So it would be much better to just do
>
> if (strlen(name) >= sizeof(q->name))
> return NULL;
>
> in find_link(), because as far as I can tell, the hard-linking is
> always just an optimization.
>
> Comments? Peter?
The hard-linking is unfortunately not just an optimization; if you
ignore it you will create one copy of the file and some number of
zero-length files, since the data isn't duplicated. As such, printk'ing
an error message and ignoring it is probably the right thing to do.
Truncation is definitely wrong.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/