* [PATCH] 2.2.20: Avoid buffer overrun in quota warning
@ 2001-09-14 1:50 Paul Menage
2001-09-14 8:46 ` Jan Kara
0 siblings, 1 reply; 4+ messages in thread
From: Paul Menage @ 2001-09-14 1:50 UTC (permalink / raw)
To: alan, Jan Kara; +Cc: pmenage, linux-kernel
The quota code in several places does an sprintf() to a fixed (75 char)
buffer, where one of the format arguments is a directory name. If your
mountpoints have long enough names, this can easily overflow and
corrupt data following the buffer.
This has been fixed in 2.4, but not in 2.2.20pre. There are three ways
to fix it:
a) backport the delayed warning code from 2.4, which doesn't use sprintf
b) increase the buffer size
c) limit the %s directives in the sprintf() format string.
Given that 2.2.20 is about to be frozen, this patch takes option b,
increasing the buffer size to be equal to the maximum directory name
length passed to mount() (PAGE_SIZE) plus some slop for the rest of the
string to be printed. Maybe for 2.2.21 it might be worth backporting
the delayed warning code.
Paul
--- linux.orig/include/linux/quota.h Tue Jun 12 00:56:52 2001
+++ linux/include/linux/quota.h Thu Sep 13 18:21:23 2001
@@ -155,7 +155,7 @@
* Maximum length of a message generated in the quota system,
* that needs to be kicked onto the tty.
*/
-#define MAX_QUOTA_MESSAGE 75
+#define MAX_QUOTA_MESSAGE (PAGE_SIZE + 256)
#define DQ_LOCKED 0x01 /* locked for update */
#define DQ_WANT 0x02 /* wanted for update */
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] 2.2.20: Avoid buffer overrun in quota warning
2001-09-14 1:50 [PATCH] 2.2.20: Avoid buffer overrun in quota warning Paul Menage
@ 2001-09-14 8:46 ` Jan Kara
2001-09-14 15:15 ` Paul Menage
0 siblings, 1 reply; 4+ messages in thread
From: Jan Kara @ 2001-09-14 8:46 UTC (permalink / raw)
To: Paul Menage; +Cc: alan, linux-kernel
Hello,
> The quota code in several places does an sprintf() to a fixed (75 char)
> buffer, where one of the format arguments is a directory name. If your
> mountpoints have long enough names, this can easily overflow and
> corrupt data following the buffer.
>
> This has been fixed in 2.4, but not in 2.2.20pre. There are three ways
> to fix it:
>
> a) backport the delayed warning code from 2.4, which doesn't use sprintf
>
> b) increase the buffer size
>
> c) limit the %s directives in the sprintf() format string.
>
> Given that 2.2.20 is about to be frozen, this patch takes option b,
> increasing the buffer size to be equal to the maximum directory name
> length passed to mount() (PAGE_SIZE) plus some slop for the rest of the
> string to be printed. Maybe for 2.2.21 it might be worth backporting
> the delayed warning code.
Actually that delayed printing of quota messages isn't even in regular
2.4 - it's just in ac-patches. Regular 2.4 has just print_warning()
function which works rather the same way as printing in 2.2.
Currently I think that just increasing the buffer size is enough. If
someone really wanted the port from 2.4 I can make it but I'm really not sure
it's 2.2 thing and I'm not sure it's worth the work...
Honza
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] 2.2.20: Avoid buffer overrun in quota warning
2001-09-14 8:46 ` Jan Kara
@ 2001-09-14 15:15 ` Paul Menage
2001-10-03 18:11 ` Jan Kara
0 siblings, 1 reply; 4+ messages in thread
From: Paul Menage @ 2001-09-14 15:15 UTC (permalink / raw)
To: Jan Kara; +Cc: Paul Menage, alan, linux-kernel
> Actually that delayed printing of quota messages isn't even in regular
>2.4 - it's just in ac-patches. Regular 2.4 has just print_warning()
>function which works rather the same way as printing in 2.2.
Regular 2.4 prints bdevname(dquot->dq_sb->s_dev) rather than
dquot->dq_mnt->mnt_dirname, so is rather less likely to have the same
sprintf() overrun problems.
Paul
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] 2.2.20: Avoid buffer overrun in quota warning
2001-09-14 15:15 ` Paul Menage
@ 2001-10-03 18:11 ` Jan Kara
0 siblings, 0 replies; 4+ messages in thread
From: Jan Kara @ 2001-10-03 18:11 UTC (permalink / raw)
To: Paul Menage; +Cc: alan, linux-kernel
Hello,
> > Actually that delayed printing of quota messages isn't even in regular
> >2.4 - it's just in ac-patches. Regular 2.4 has just print_warning()
> >function which works rather the same way as printing in 2.2.
>
> Regular 2.4 prints bdevname(dquot->dq_sb->s_dev) rather than
> dquot->dq_mnt->mnt_dirname, so is rather less likely to have the same
> sprintf() overrun problems.
I've created patch for 2.2.18 kernel (applies well against 2.2.19 too) which
makes quota code print bdevname() rather that mountpoint and so avoids
possible overrun. Actually this overrun is possible only if root makes
mountpoint deep in directory structure so IMO there's no possibility for
exploit but anyway... Alan please apply the patch.
Honza
--
Jan Kara <jack@suse.cz>
SuSE Labs
<cut>
----------------------------------------------------------------------
diff -ru -X /home/jack/.kerndiffexclude linux-2.2.18/fs/dquot.c linux-2.2.18-overflowfix/fs/dquot.c
--- linux-2.2.18/fs/dquot.c Fri Dec 15 17:27:15 2000
+++ linux-2.2.18-overflowfix/fs/dquot.c Mon Oct 1 22:43:08 2001
@@ -848,7 +848,7 @@
if ((dquot->dq_flags & DQ_INODES) == 0 &&
need_print_warning(type, initiator, dquot)) {
sprintf(quotamessage, "%s: write failed, %s file limit reached\n",
- dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+ bdevname(dquot->dq_dev), quotatypes[type]);
tty_write_message(tty, quotamessage);
dquot->dq_flags |= DQ_INODES;
}
@@ -861,7 +861,7 @@
!ignore_hardlimit(dquot, initiator)) {
if (need_print_warning(type, initiator, dquot)) {
sprintf(quotamessage, "%s: warning, %s file quota exceeded too long.\n",
- dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+ bdevname(dquot->dq_dev), quotatypes[type]);
tty_write_message(tty, quotamessage);
}
return(NO_QUOTA);
@@ -872,7 +872,7 @@
dquot->dq_itime == 0) {
if (need_print_warning(type, initiator, dquot)) {
sprintf(quotamessage, "%s: warning, %s file quota exceeded\n",
- dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+ bdevname(dquot->dq_dev), quotatypes[type]);
tty_write_message(tty, quotamessage);
}
dquot->dq_itime = CURRENT_TIME + dquot->dq_mnt->mnt_dquot.inode_expire[type];
@@ -893,7 +893,7 @@
if (warn && (dquot->dq_flags & DQ_BLKS) == 0 &&
need_print_warning(type, initiator, dquot)) {
sprintf(quotamessage, "%s: write failed, %s disk limit reached.\n",
- dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+ bdevname(dquot->dq_dev), quotatypes[type]);
tty_write_message(tty, quotamessage);
dquot->dq_flags |= DQ_BLKS;
}
@@ -906,7 +906,7 @@
!ignore_hardlimit(dquot, initiator)) {
if (warn && need_print_warning(type, initiator, dquot)) {
sprintf(quotamessage, "%s: write failed, %s disk quota exceeded too long.\n",
- dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+ bdevname(dquot->dq_dev), quotatypes[type]);
tty_write_message(tty, quotamessage);
}
return(NO_QUOTA);
@@ -917,7 +917,7 @@
dquot->dq_btime == 0) {
if (warn && need_print_warning(type, initiator, dquot)) {
sprintf(quotamessage, "%s: warning, %s disk quota exceeded\n",
- dquot->dq_mnt->mnt_dirname, quotatypes[type]);
+ bdevname(dquot->dq_dev), quotatypes[type]);
tty_write_message(tty, quotamessage);
}
dquot->dq_btime = CURRENT_TIME + dquot->dq_mnt->mnt_dquot.block_expire[type];
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-10-03 18:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-09-14 1:50 [PATCH] 2.2.20: Avoid buffer overrun in quota warning Paul Menage
2001-09-14 8:46 ` Jan Kara
2001-09-14 15:15 ` Paul Menage
2001-10-03 18:11 ` Jan Kara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).