From bca271136f06514253aa28c24c04fc23b88e971e Mon Sep 17 00:00:00 2001 From: Paolo 'Blaisorblade' Giarrusso Date: Wed, 7 Mar 2007 20:41:07 -0800 Subject: [PATCH] uml: hostfs: fix double free Fix double free in the error path - when name is assigned into root_inode we do not own it any more and we must not kfree() it - see patch for details. Thanks to William Stearns for the initial report. CC: William Stearns Signed-off-by: Paolo 'Blaisorblade' Giarrusso Acked-by: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/hostfs/hostfs_kern.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'fs/hostfs/hostfs_kern.c') diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c index e965eb11d76f..6f10e43746f9 100644 --- a/fs/hostfs/hostfs_kern.c +++ b/fs/hostfs/hostfs_kern.c @@ -966,6 +966,9 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) goto out_put; HOSTFS_I(root_inode)->host_filename = name; + /* Avoid that in the error path, iput(root_inode) frees again name through + * hostfs_destroy_inode! */ + name = NULL; err = -ENOMEM; sb->s_root = d_alloc_root(root_inode); @@ -977,7 +980,7 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) /* No iput in this case because the dput does that for us */ dput(sb->s_root); sb->s_root = NULL; - goto out_free; + goto out; } return(0); -- cgit v1.2.3 From a6eb0be6d5cc1851deb6619e6f8b1bbd0a0dbab4 Mon Sep 17 00:00:00 2001 From: Paolo 'Blaisorblade' Giarrusso Date: Wed, 7 Mar 2007 20:41:08 -0800 Subject: [PATCH] uml: hostfs: make hostfs= option work as a jail, as intended. When a given host directory is specified to be mounted both in hostfs=path1 and with mount option -o path2, we should give access to path1/path2, but this does not happen. Fix that in the simpler way. Also, root_ino can be the empty string, since we use %s/%s as format. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Acked-by: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/hostfs/hostfs_kern.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'fs/hostfs/hostfs_kern.c') diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c index 6f10e43746f9..9baf69773ed1 100644 --- a/fs/hostfs/hostfs_kern.c +++ b/fs/hostfs/hostfs_kern.c @@ -47,7 +47,7 @@ struct dentry_operations hostfs_dentry_ops = { }; /* Changed in hostfs_args before the kernel starts running */ -static char *root_ino = "/"; +static char *root_ino = ""; static int append = 0; #define HOSTFS_SUPER_MAGIC 0x00c0ffee @@ -947,15 +947,17 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) sb->s_magic = HOSTFS_SUPER_MAGIC; sb->s_op = &hostfs_sbops; - if((data == NULL) || (*data == '\0')) - data = root_ino; + /* NULL is printed as by sprintf: avoid that. */ + if (data == NULL) + data = ""; err = -ENOMEM; - name = kmalloc(strlen(data) + 1, GFP_KERNEL); + name = kmalloc(strlen(root_ino) + 1 + + strlen(data) + 1, GFP_KERNEL); if(name == NULL) goto out; - strcpy(name, data); + sprintf(name, "%s/%s", root_ino, data); root_inode = iget(sb, 0); if(root_inode == NULL) -- cgit v1.2.3 From 622e696938c6a9c5357d2ec4a07ed2f27d56925a Mon Sep 17 00:00:00 2001 From: Jeff Dike Date: Thu, 29 Mar 2007 01:20:32 -0700 Subject: [PATCH] uml: fix compilation problems Fix a few miscellaneous compilation problems - an assignment with mismatched types in ldt.c a missing include in mconsole.h which needs a definition of uml_pt_regs I missed removing an include of user_util.h in hostfs Signed-off-by: Jeff Dike Cc: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- arch/um/include/mconsole.h | 2 ++ arch/um/sys-i386/ldt.c | 3 ++- fs/hostfs/hostfs_kern.c | 1 - 3 files changed, 4 insertions(+), 2 deletions(-) (limited to 'fs/hostfs/hostfs_kern.c') diff --git a/arch/um/include/mconsole.h b/arch/um/include/mconsole.h index 2666815b6af5..b282839c1625 100644 --- a/arch/um/include/mconsole.h +++ b/arch/um/include/mconsole.h @@ -12,6 +12,8 @@ #define u32 uint32_t #endif +#include "sysdep/ptrace.h" + #define MCONSOLE_MAGIC (0xcafebabe) #define MCONSOLE_MAX_DATA (512) #define MCONSOLE_VERSION 2 diff --git a/arch/um/sys-i386/ldt.c b/arch/um/sys-i386/ldt.c index 4a8b4202ef9e..a939a7ef0227 100644 --- a/arch/um/sys-i386/ldt.c +++ b/arch/um/sys-i386/ldt.c @@ -394,7 +394,8 @@ static short * host_ldt_entries = NULL; static void ldt_get_host_info(void) { long ret; - struct ldt_entry * ldt, *tmp; + struct ldt_entry * ldt; + short *tmp; int i, size, k, order; spin_lock(&host_ldt_lock); diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c index 9baf69773ed1..a2667db9f6b9 100644 --- a/fs/hostfs/hostfs_kern.c +++ b/fs/hostfs/hostfs_kern.c @@ -20,7 +20,6 @@ #include "hostfs.h" #include "kern_util.h" #include "kern.h" -#include "user_util.h" #include "init.h" struct hostfs_inode_info { -- cgit v1.2.3 From 75e8defbe4236a358b1396bc6d9a1231e5eca225 Mon Sep 17 00:00:00 2001 From: Paolo 'Blaisorblade' Giarrusso Date: Thu, 29 Mar 2007 01:20:33 -0700 Subject: [PATCH] uml: hostfs variable renaming * rename name to host_root_path * rename data to req_root. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Jeff Dike Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/hostfs/hostfs_kern.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'fs/hostfs/hostfs_kern.c') diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c index a2667db9f6b9..fd301a910122 100644 --- a/fs/hostfs/hostfs_kern.c +++ b/fs/hostfs/hostfs_kern.c @@ -938,7 +938,7 @@ static const struct address_space_operations hostfs_link_aops = { static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) { struct inode *root_inode; - char *name, *data = d; + char *host_root_path, *req_root = d; int err; sb->s_blocksize = 1024; @@ -947,16 +947,16 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) sb->s_op = &hostfs_sbops; /* NULL is printed as by sprintf: avoid that. */ - if (data == NULL) - data = ""; + if (req_root == NULL) + req_root = ""; err = -ENOMEM; - name = kmalloc(strlen(root_ino) + 1 - + strlen(data) + 1, GFP_KERNEL); - if(name == NULL) + host_root_path = kmalloc(strlen(root_ino) + 1 + + strlen(req_root) + 1, GFP_KERNEL); + if(host_root_path == NULL) goto out; - sprintf(name, "%s/%s", root_ino, data); + sprintf(host_root_path, "%s/%s", root_ino, req_root); root_inode = iget(sb, 0); if(root_inode == NULL) @@ -966,10 +966,10 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) if(err) goto out_put; - HOSTFS_I(root_inode)->host_filename = name; - /* Avoid that in the error path, iput(root_inode) frees again name through - * hostfs_destroy_inode! */ - name = NULL; + HOSTFS_I(root_inode)->host_filename = host_root_path; + /* Avoid that in the error path, iput(root_inode) frees again + * host_root_path through hostfs_destroy_inode! */ + host_root_path = NULL; err = -ENOMEM; sb->s_root = d_alloc_root(root_inode); @@ -989,7 +989,7 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) out_put: iput(root_inode); out_free: - kfree(name); + kfree(host_root_path); out: return(err); } -- cgit v1.2.3