summaryrefslogtreecommitdiffstats
path: root/fs/dcache.c
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@citi.umich.edu>2007-10-21 16:41:38 -0700
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-10-22 08:13:18 -0700
commit321bcf92163038e2b96fd3bf9bc29f755c81d9ef (patch)
tree68a1e6b659cac5ffdadb4b7412fa5b7a4244541b /fs/dcache.c
parentb68680e4731abbd78863063aaa0dca2a6d8cc723 (diff)
downloadkernel-crypto-321bcf92163038e2b96fd3bf9bc29f755c81d9ef.tar.gz
kernel-crypto-321bcf92163038e2b96fd3bf9bc29f755c81d9ef.tar.xz
kernel-crypto-321bcf92163038e2b96fd3bf9bc29f755c81d9ef.zip
dcache: don't expose uninitialized memory in /proc/<pid>/fd/<fd>
Well, it's not especially important that target->d_iname get the contents of dentry->d_iname, but it's important that it get initialized with *something*, otherwise we're just exposing some random piece of memory to anyone who reads the link at /proc/<pid>/fd/<fd> for the deleted file, when it's still held open by someone. I've run a test program that copies a short (<36 character) name ontop of a long (>=36 character) name and see that the first time I run it, without this patch, I get unpredicatable results out of /proc/<pid>/fd/<fd>. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/dcache.c')
-rw-r--r--fs/dcache.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/dcache.c b/fs/dcache.c
index 2bb3f7ac683..d9ca1e5ceb9 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1479,6 +1479,8 @@ static void switch_names(struct dentry *dentry, struct dentry *target)
* dentry:internal, target:external. Steal target's
* storage and make target internal.
*/
+ memcpy(target->d_iname, dentry->d_name.name,
+ dentry->d_name.len + 1);
dentry->d_name.name = target->d_name.name;
target->d_name.name = target->d_iname;
}