From: Greg Kroah-Hartman Date: Fri, 26 Oct 2012 20:00:35 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.49~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5accab76b64ad23799c00e445414875db13ac9e7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch --- diff --git a/queue-3.4/series b/queue-3.4/series index 49956a21be3..ed054d92b63 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -13,3 +13,4 @@ sunrpc-clear-the-connect-flag-when-socket-state-is-tcp_close_wait.patch revert-sunrpc-ensure-we-close-the-socket-on-epipe-errors-too.patch sunrpc-prevent-races-in-xs_abort_connection.patch xhci-fix-potential-null-ptr-deref-in-command-cancellation.patch +sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch diff --git a/queue-3.4/sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch b/queue-3.4/sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch new file mode 100644 index 00000000000..6b3deef8862 --- /dev/null +++ b/queue-3.4/sysfs-sysfs_pathname-sysfs_add_one-use-strlcat-instead-of-strcat.patch @@ -0,0 +1,66 @@ +From 66081a72517a131430dcf986775f3268aafcb546 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Sat, 29 Sep 2012 22:23:19 +0200 +Subject: sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() + +From: Geert Uytterhoeven + +commit 66081a72517a131430dcf986775f3268aafcb546 upstream. + +The warning check for duplicate sysfs entries can cause a buffer overflow +when printing the warning, as strcat() doesn't check buffer sizes. +Use strlcat() instead. + +Since strlcat() doesn't return a pointer to the passed buffer, unlike +strcat(), I had to convert the nested concatenation in sysfs_add_one() to +an admittedly more obscure comma operator construct, to avoid emitting code +for the concatenation if CONFIG_BUG is disabled. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/dir.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/sysfs/dir.c ++++ b/fs/sysfs/dir.c +@@ -457,20 +457,18 @@ int __sysfs_add_one(struct sysfs_addrm_c + /** + * sysfs_pathname - return full path to sysfs dirent + * @sd: sysfs_dirent whose path we want +- * @path: caller allocated buffer ++ * @path: caller allocated buffer of size PATH_MAX + * + * Gives the name "/" to the sysfs_root entry; any path returned + * is relative to wherever sysfs is mounted. +- * +- * XXX: does no error checking on @path size + */ + static char *sysfs_pathname(struct sysfs_dirent *sd, char *path) + { + if (sd->s_parent) { + sysfs_pathname(sd->s_parent, path); +- strcat(path, "/"); ++ strlcat(path, "/", PATH_MAX); + } +- strcat(path, sd->s_name); ++ strlcat(path, sd->s_name, PATH_MAX); + return path; + } + +@@ -503,9 +501,11 @@ int sysfs_add_one(struct sysfs_addrm_cxt + char *path = kzalloc(PATH_MAX, GFP_KERNEL); + WARN(1, KERN_WARNING + "sysfs: cannot create duplicate filename '%s'\n", +- (path == NULL) ? sd->s_name : +- strcat(strcat(sysfs_pathname(acxt->parent_sd, path), "/"), +- sd->s_name)); ++ (path == NULL) ? sd->s_name ++ : (sysfs_pathname(acxt->parent_sd, path), ++ strlcat(path, "/", PATH_MAX), ++ strlcat(path, sd->s_name, PATH_MAX), ++ path)); + kfree(path); + } +