Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull hostfs fix from Al Viro:
"Fix hostfs __dentry_name() string handling.

The use of strcpy() with overlapping source and destination is a UB;
original loop hadn't been. More to the point, the whole thing is much
easier done with memcpy() + memmove()"

* tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
hostfs: fix string handling in __dentry_name()

Linus Torvalds 1 year ago b2fde873 8f08ed05

+6 -21

1 changed file

expand all

hostfs

hostfs_kern.c

+6 -21

fs/hostfs/hostfs_kern.c

··· 95 95 static char *__dentry_name(struct dentry *dentry, char *name) 96 96 { 97 97 char *p = dentry_path_raw(dentry, name, PATH_MAX); 98 - char *root; 99 - size_t len; 100 - struct hostfs_fs_info *fsi; 98 + struct hostfs_fs_info *fsi = dentry->d_sb->s_fs_info; 99 + char *root = fsi->host_root_path; 100 + size_t len = strlen(root); 101 101 102 - fsi = dentry->d_sb->s_fs_info; 103 - root = fsi->host_root_path; 104 - len = strlen(root); 105 - if (IS_ERR(p)) { 102 + if (IS_ERR(p) || len > p - name) { 106 103 __putname(name); 107 104 return NULL; 108 105 } 109 106 110 - /* 111 - * This function relies on the fact that dentry_path_raw() will place 112 - * the path name at the end of the provided buffer. 113 - */ 114 - BUG_ON(p + strlen(p) + 1 != name + PATH_MAX); 115 - 116 - strscpy(name, root, PATH_MAX); 117 - if (len > p - name) { 118 - __putname(name); 119 - return NULL; 120 - } 121 - 122 - if (p > name + len) 123 - strcpy(name + len, p); 107 + memcpy(name, root, len); 108 + memmove(name + len, p, name + PATH_MAX - p); 124 109 125 110 return name; 126 111 }