copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)

• Next message: Alan Cox: "Re: devfs - the missing link"
• Previous message: aris@conectiva.com.br: "[PATCH] (2.2.16-pre) eepro 0.12a"
• Next in thread: Alan Cox: "Re: copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)"
• Reply: Alan Cox: "Re: copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)"
• Reply: Tigran Aivazian: "Re: copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Al,
  your change to copy_mount_option in 2.3.99-pre9-pre3 revealed that
copy_from_user does not work as expected :-( At least on ia32.

  First action, which copy_from_user does is
  
access_ok(VERIFY_READ, from, n).

  This in turn (for >i386) does
  
__range_ok(from, n) == 0

  which, unfortunately, checks sum of 'from + n' against
current->addr_limit.seg. And because of ncpmount passes some of
arguments to mount on stack, copy_from_user instead of copying
partial parameter, fails completely with return value == size
and no copy.

  Unfortunately, I was not able to find any nice solution.
So I patched only copy_mount_options with ia32 specific patch. If
other architectures have broken copy_{from,to}_user too... Because
of device name is also copied using copy_mount_options, I think
that this may cause unexpected failures in other mount programs
too (smbmount comes to my mind).

--- super.c.orig Mon May 22 12:14:13 2000
+++ super.c Mon May 22 19:02:55 2000
@@ -1145,7 +1145,8 @@
 {
         int i;
         unsigned long page;
-
+ int size;
+
         *where = 0;
         if (!data)
                 return 0;
@@ -1157,8 +1158,16 @@
          * gave us is valid. Just in case, we'll zero
          * the remainder of the page.
          */
- i = copy_from_user((void *)page, data, PAGE_SIZE);
- if (i == PAGE_SIZE) {
+ /* copy_from_user is buggy ! */
+ size = PAGE_SIZE;
+#ifdef CONFIG_X86
+ if ((unsigned long)data < current->addr_limit.seg &&
+ (unsigned long)data + size > current->addr_limit.seg) {
+ size = current->addr_limit.seg - (unsigned long)data;
+ }
+#endif
+ i = copy_from_user((void *)page, data, size);
+ if (i == size) {
                 free_page(page);
                 return -EFAULT;
         }

But I think that copy_{from,to}_user should be fixed, it gives inconsistent
results on partial buffers now.
                                        Petr Vandrovec
                                        vandrove@vc.cvut.cz

P.S.: ncpfs users, if you do not want to apply this patch, export some
4KB environment variable... It will fix this problem too :-)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Alan Cox: "Re: devfs - the missing link"
• Previous message: aris@conectiva.com.br: "[PATCH] (2.2.16-pre) eepro 0.12a"
• Next in thread: Alan Cox: "Re: copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)"
• Reply: Alan Cox: "Re: copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)"
• Reply: Tigran Aivazian: "Re: copy_mount_options in 2.3.99-pre9-pre3 and ncpmount (and others)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue May 23 2000 - 21:00:22 EST