| Message ID | 20250117230913.GS1977892@ZenIV (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | hostfs: fix string handling in __dentry_name() | expand |
----- Ursprüngliche Mail ----- > Von: "Al Viro" <viro@zeniv.linux.org.uk> > An: "richard" <richard@nod.at> > CC: "linux-um" <linux-um@lists.infradead.org>, "linux-fsdevel" <linux-fsdevel@vger.kernel.org> > Gesendet: Samstag, 18. Januar 2025 00:09:13 > Betreff: [PATCH] hostfs: fix string handling in __dentry_name() > [in viro/vfs.git#fixes, going to Linus unless anyone objects] > > strcpy() should not be used with destination potentially overlapping > the source; what's more, strscpy() in there is pointless - we already > know the amount we want to copy; might as well use memcpy(). > > Fixes: c278e81b8a02 "hostfs: Remove open coded strcpy()" Hmm, AFAICT the open coded strcpy() was also never safe wrt. overlapping strings. Beside of that: Acked-by: Richard Weinberger <richard@nod.at> Thanks, //richard
diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c index 7e51d2cec64b..bd6503b73142 100644 --- a/fs/hostfs/hostfs_kern.c +++ b/fs/hostfs/hostfs_kern.c @@ -95,32 +95,17 @@ __uml_setup("hostfs=", hostfs_args, static char *__dentry_name(struct dentry *dentry, char *name) { char *p = dentry_path_raw(dentry, name, PATH_MAX); - char *root; - size_t len; - struct hostfs_fs_info *fsi; - - fsi = dentry->d_sb->s_fs_info; - root = fsi->host_root_path; - len = strlen(root); - if (IS_ERR(p)) { - __putname(name); - return NULL; - } - - /* - * This function relies on the fact that dentry_path_raw() will place - * the path name at the end of the provided buffer. - */ - BUG_ON(p + strlen(p) + 1 != name + PATH_MAX); + struct hostfs_fs_info *fsi = dentry->d_sb->s_fs_info; + char *root = fsi->host_root_path; + size_t len = strlen(root); - strscpy(name, root, PATH_MAX); - if (len > p - name) { + if (IS_ERR(p) || len > p - name) { __putname(name); return NULL; } - if (p > name + len) - strcpy(name + len, p); + memcpy(name, root, len); + memmove(name + len, p, name + PATH_MAX - p); return name; }
[in viro/vfs.git#fixes, going to Linus unless anyone objects] strcpy() should not be used with destination potentially overlapping the source; what's more, strscpy() in there is pointless - we already know the amount we want to copy; might as well use memcpy(). Fixes: c278e81b8a02 "hostfs: Remove open coded strcpy()" Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> ---