[BusyBox 0000323]: mount.c - passing "-t" option sometimes causes memory copy outside of RAM in the linux kernel
bugs at busybox.net
bugs at busybox.net
Fri Sep 2 16:27:13 UTC 2005
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=323
======================================================================
Reported By: Kasey Erickson
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 323
Category: Other
Reproducibility: random
Severity: major
Priority: normal
Status: feedback
======================================================================
Date Submitted: 07-05-2005 14:40 PDT
Last Modified: 09-02-2005 09:27 PDT
======================================================================
Summary: mount.c - passing "-t" option sometimes causes
memory copy outside of RAM in the linux kernel
Description:
uClinux 2.4.22, busybox 1.00-pre3, util-linux/mount.c, mount_main() - When
passing "-t" to mount, optarg's value is copied to filesystemType. This
becomes a problem when the address copied from optarg to filesystemType is
less than TASK_SIZE (4096 in linux) bytes from the end of RAM.
linux/fs/namespace.c, copy_mount_options() copies 4096 bytes (on our
platform) for each pointer passed to it. Roughly 40% of the time the
address optarg holds is 200 bytes from the end of RAM. This causes the
copy in copy_mount_options to exceed memory. access_ok() in the kernel
should catch this, but in uClinux it is defined as "0".
By inspection it appears that the same problem can occur to "devices" and
"string_flags" in mount_main. I haven't seen these pointers produce
problems at run-time though.
A patch that works for me is attached.
======================================================================
----------------------------------------------------------------------
landley - 09-01-05 20:15
----------------------------------------------------------------------
A major rewrite of the mount code went in on 8/10. Does this issue apply
to the new mount code? Can you still reproduce a problem?
----------------------------------------------------------------------
Kasey Erickson - 09-02-05 09:27
----------------------------------------------------------------------
After doing a quick code inspection of mount.c (-r11289) the condition
still appears to be present.
Issue History
Date Modified Username Field Change
======================================================================
07-05-05 14:40 Kasey Erickson New Issue
07-05-05 14:40 Kasey Erickson File Added: mount.c.patch
09-01-05 20:15 landley Note Added: 0000486
09-01-05 20:15 landley Status assigned => feedback
09-02-05 09:27 Kasey Erickson Note Added: 0000487
======================================================================
More information about the busybox-cvs
mailing list