diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2007-10-21 16:41:38 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-10-22 08:13:18 -0700 |
commit | 321bcf92163038e2b96fd3bf9bc29f755c81d9ef (patch) | |
tree | 68a1e6b659cac5ffdadb4b7412fa5b7a4244541b /fs/dcache.c | |
parent | b68680e4731abbd78863063aaa0dca2a6d8cc723 (diff) | |
download | kernel-crypto-321bcf92163038e2b96fd3bf9bc29f755c81d9ef.tar.gz kernel-crypto-321bcf92163038e2b96fd3bf9bc29f755c81d9ef.tar.xz kernel-crypto-321bcf92163038e2b96fd3bf9bc29f755c81d9ef.zip |
dcache: don't expose uninitialized memory in /proc/<pid>/fd/<fd>
Well, it's not especially important that target->d_iname get the contents
of dentry->d_iname, but it's important that it get initialized with
*something*, otherwise we're just exposing some random piece of memory to
anyone who reads the link at /proc/<pid>/fd/<fd> for the deleted file, when
it's still held open by someone.
I've run a test program that copies a short (<36 character) name ontop of a
long (>=36 character) name and see that the first time I run it, without
this patch, I get unpredicatable results out of /proc/<pid>/fd/<fd>.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/dcache.c')
-rw-r--r-- | fs/dcache.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/dcache.c b/fs/dcache.c index 2bb3f7ac683..d9ca1e5ceb9 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1479,6 +1479,8 @@ static void switch_names(struct dentry *dentry, struct dentry *target) * dentry:internal, target:external. Steal target's * storage and make target internal. */ + memcpy(target->d_iname, dentry->d_name.name, + dentry->d_name.len + 1); dentry->d_name.name = target->d_name.name; target->d_name.name = target->d_iname; } |