Attachment 39009 Details for Bug 90499

[patch] Updated patch that handles corner case too

stack-dos-2 (text/plain), 2.45 KB, created by Andreas Kleen on 2005-06-12 14:55:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andreas Kleen

Created: 2005-06-12 14:55:38 UTC

Size: 2.45 KB

patch

obsolete

>Fix buffer overflow in 32bit execve on x86-64/ia64
>
>Signed-off-by: Andi Kleen <ak@suse.de> 
>
>diff -u linux-2.4.31/arch/x86_64/ia32/sys_ia32.c-o linux-2.4.31/arch/x86_64/ia32/sys_ia32.c
>--- linux-2.4.31/arch/x86_64/ia32/sys_ia32.c-o	2005-01-19 15:09:39.000000000 +0100
>+++ linux-2.4.31/arch/x86_64/ia32/sys_ia32.c	2005-06-12 16:38:09.000000000 +0200
>@@ -2200,7 +2200,7 @@
> 	return ret;
> } 
> 
>-static int nargs(u32 src, char **dst) 
>+static int nargs(u32 src, char **dst, unsigned max) 
> { 
> 	int cnt;
> 	u32 val; 
>@@ -2214,7 +2214,7 @@
> 			dst[cnt] = (char *)(u64)val; 
> 		cnt++;
> 		src += 4;
>-		if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
>+		if (cnt >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *) || (max >= 0 && cnt >= max))
> 			return -E2BIG; 
> 	} while(val); 
> 	if (dst)
>@@ -2231,12 +2231,12 @@
> 	unsigned sz = 0; 
> 	
> 	if (argv) {
>-	na = nargs(argv, NULL); 
>+	na = nargs(argv, NULL, -1); 
> 	if (na < 0) 
> 		return -EFAULT; 
> 	} 	
> 	if (envp) { 
>-	ne = nargs(envp, NULL); 
>+	ne = nargs(envp, NULL, -1); 
> 	if (ne < 0) 
> 		return -EFAULT; 
> 	}
>@@ -2252,13 +2252,13 @@
> 	} 
> 	
> 	if (argv) { 
>-	ret = nargs(argv, buf);
>+	ret = nargs(argv, buf, na);
> 	if (ret < 0)
> 		goto free;
> 	}
> 
> 	if (envp) { 
>-	ret = nargs(envp, buf + na); 
>+	ret = nargs(envp, buf + na, ne); 
> 	if (ret < 0)
> 		goto free; 
> 	}
>diff -u linux-2.4.31/arch/ia64/ia32/sys_ia32.c-o linux-2.4.31/arch/ia64/ia32/sys_ia32.c
>--- linux-2.4.31/arch/ia64/ia32/sys_ia32.c-o	2005-04-04 03:42:19.000000000 +0200
>+++ linux-2.4.31/arch/ia64/ia32/sys_ia32.c	2005-06-12 16:38:54.000000000 +0200
>@@ -94,7 +94,7 @@
> static DECLARE_MUTEX(ia32_mmap_sem);
> 
> static int
>-nargs (unsigned int arg, char **ap)
>+nargs (unsigned int arg, char **ap, int max)
> {
> 	unsigned int addr;
> 	int n, err;
>@@ -111,7 +111,7 @@
> 			*ap++ = (char *) A(addr);
> 		arg += sizeof(unsigned int);
> 		n++;
>-		if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *))
>+		if (n >= (MAX_ARG_PAGES * PAGE_SIZE) / sizeof(char *) || (max >= 0 && cnt >= max))
> 			return -E2BIG;
> 	} while (addr);
> 	return n - 1;
>@@ -128,10 +128,10 @@
> 	int na, ne, len;
> 	long r;
> 
>-	na = nargs(argv, NULL);
>+	na = nargs(argv, NULL, -1);
> 	if (na < 0)
> 		return na;
>-	ne = nargs(envp, NULL);
>+	ne = nargs(envp, NULL, -1);
> 	if (ne < 0)
> 		return ne;
> 	len = (na + ne + 2) * sizeof(*av);
>@@ -143,10 +143,10 @@
> 	av[na] = NULL;
> 	ae[ne] = NULL;
> 
>-	r = nargs(argv, av);
>+	r = nargs(argv, av, na);
> 	if (r < 0)
> 		goto out;
>-	r = nargs(envp, ae);
>+	r = nargs(envp, ae, ne);
> 	if (r < 0)
> 		goto out;
>

Actions: View | Diff

Attachments on bug 90499: 39007 | 39009 | 39665 | 39949 | 40061