| From 361371201b60ffd686a694c848c1d5ad6061725f Mon Sep 17 00:00:00 2001 |
| From: Balbir Singh <balbir@linux.vnet.ibm.com> |
| Date: Tue, 9 Dec 2008 13:14:07 -0800 |
| Subject: uml: boot broken due to buffer overrun |
| |
| From: Balbir Singh <balbir@linux.vnet.ibm.com> |
| |
| commit 361371201b60ffd686a694c848c1d5ad6061725f upstream. |
| |
| mconsole_init() passed 256 bytes as length in os_create_unix_socket, while |
| the sizeof UNIX_PATH_MAX is 108. This patch fixes that problem and avoids |
| a big overrun bug reported on UML bootup. |
| |
| sockaddr_un.sun_path is UNIX_PATH_MAX long which causes the problem. |
| Reported-by: Vikas K Managutte <vikki.km@gmail.com> |
| Reported-by: Sarvesh Kumar Lal Das <skldas@gmail.com> |
| Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com> |
| Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi> |
| Reviewed-by: WANG Cong <wangcong@zeuux.org> |
| Cc: Jeff Dike <jdike@addtoit.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| arch/um/drivers/mconsole_kern.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/arch/um/drivers/mconsole_kern.c |
| +++ b/arch/um/drivers/mconsole_kern.c |
| @@ -16,6 +16,8 @@ |
| #include <linux/slab.h> |
| #include <linux/syscalls.h> |
| #include <linux/utsname.h> |
| +#include <linux/socket.h> |
| +#include <linux/un.h> |
| #include <linux/workqueue.h> |
| #include <linux/mutex.h> |
| #include <asm/uaccess.h> |
| @@ -785,7 +787,7 @@ static int __init mconsole_init(void) |
| /* long to avoid size mismatch warnings from gcc */ |
| long sock; |
| int err; |
| - char file[256]; |
| + char file[UNIX_PATH_MAX]; |
| |
| if (umid_file_name("mconsole", file, sizeof(file))) |
| return -1; |
