diff options
| author | Alexey Dobriyan <[email protected]> | 2018-02-06 15:36:59 -0800 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2018-02-06 18:32:43 -0800 |
| commit | ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 (patch) | |
| tree | 1d01b6071cad203ecc73be49c817ef194381388a /lib/netdev-notifier-error-inject.c | |
| parent | 9f7118b2007d5e7c7a061550d2ca2ecb841537dc (diff) | |
proc: fix /proc/*/map_files lookup
Current code does:
if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
However sscanf() is broken garbage.
It silently accepts whitespace between format specifiers
(did you know that?).
It silently accepts valid strings which result in integer overflow.
Do not use sscanf() for any even remotely reliable parsing code.
OK
# readlink '/proc/1/map_files/55a23af39000-55a23b05b000'
/lib/systemd/systemd
broken
# readlink '/proc/1/map_files/ 55a23af39000-55a23b05b000'
/lib/systemd/systemd
broken
# readlink '/proc/1/map_files/55a23af39000-55a23b05b000 '
/lib/systemd/systemd
very broken
# readlink '/proc/1/map_files/1000000000000000055a23af39000-55a23b05b000'
/lib/systemd/systemd
Andrei said:
: This patch breaks criu. It was a bug in criu. And this bug is on a minor
: path, which works when memfd_create() isn't available. It is a reason why
: I ask to not backport this patch to stable kernels.
:
: In CRIU this bug can be triggered, only if this patch will be backported
: to a kernel which version is lower than v3.16.
Link: http://lkml.kernel.org/r/20171120212706.GA14325@avx2
Signed-off-by: Alexey Dobriyan <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Andrei Vagin <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'lib/netdev-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions