[BusyBox 0000323]: mount.c - passing "-t" option sometimes causes memory copy outside of RAM in the linux kernel

bugs at busybox.net bugs at busybox.net
Fri Sep 2 16:27:13 UTC 2005 

A NOTE has been added to this issue. 
====================================================================== 
http://busybox.net/bugs/view.php?id=323 
====================================================================== 
Reported By:                Kasey Erickson
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   323
Category:                   Other
Reproducibility:            random
Severity:                   major
Priority:                   normal
Status:                     feedback
====================================================================== 
Date Submitted:             07-05-2005 14:40 PDT
Last Modified:              09-02-2005 09:27 PDT
====================================================================== 
Summary:                    mount.c - passing "-t" option sometimes causes
memory copy outside of RAM in the linux kernel
Description: 
uClinux 2.4.22, busybox 1.00-pre3, util-linux/mount.c, mount_main() - When
passing "-t" to mount, optarg's value is copied to filesystemType.  This
becomes a problem when the address copied from optarg to filesystemType is
less than TASK_SIZE (4096 in linux) bytes from the end of RAM. 
linux/fs/namespace.c, copy_mount_options() copies 4096 bytes (on our
platform) for each pointer passed to it.  Roughly 40% of the time the
address optarg holds is 200 bytes from the end of RAM.  This causes the
copy in copy_mount_options to exceed memory.  access_ok() in the kernel
should catch this, but in uClinux it is defined as "0".

By inspection it appears that the same problem can occur to "devices" and
"string_flags" in mount_main.  I haven't seen these pointers produce
problems at run-time though.

A patch that works for me is attached.

====================================================================== 

---------------------------------------------------------------------- 
 landley - 09-01-05 20:15  
---------------------------------------------------------------------- 
A major rewrite of the mount code went in on 8/10.  Does this issue apply
to the new mount code?  Can you still reproduce a problem? 

---------------------------------------------------------------------- 
 Kasey Erickson - 09-02-05 09:27  
---------------------------------------------------------------------- 
After doing a quick code inspection of mount.c (-r11289) the condition
still appears to be present. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-05-05 14:40  Kasey Erickson New Issue                                    
07-05-05 14:40  Kasey Erickson File Added: mount.c.patch                    
09-01-05 20:15  landley        Note Added: 0000486                          
09-01-05 20:15  landley        Status                   assigned => feedback
09-02-05 09:27  Kasey Erickson Note Added: 0000487                          
======================================================================

More information about the busybox-cvs mailing list