Commit ebd09abb authored by Duane Griffin's avatar Duane Griffin Committed by Al Viro

vfs: ensure page symlinks are NUL-terminated

On-disk data corruption could cause a page link to have its i_size set
to PAGE_SIZE (or a multiple thereof) and its contents all non-NUL.
NUL-terminate the link name to ensure this doesn't cause further
problems for the kernel.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarDuane Griffin <duaneg@dghda.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 03514685
...@@ -2786,13 +2786,16 @@ int vfs_follow_link(struct nameidata *nd, const char *link) ...@@ -2786,13 +2786,16 @@ int vfs_follow_link(struct nameidata *nd, const char *link)
/* get the link contents into pagecache */ /* get the link contents into pagecache */
static char *page_getlink(struct dentry * dentry, struct page **ppage) static char *page_getlink(struct dentry * dentry, struct page **ppage)
{ {
struct page * page; char *kaddr;
struct page *page;
struct address_space *mapping = dentry->d_inode->i_mapping; struct address_space *mapping = dentry->d_inode->i_mapping;
page = read_mapping_page(mapping, 0, NULL); page = read_mapping_page(mapping, 0, NULL);
if (IS_ERR(page)) if (IS_ERR(page))
return (char*)page; return (char*)page;
*ppage = page; *ppage = page;
return kmap(page); kaddr = kmap(page);
nd_terminate_link(kaddr, dentry->d_inode->i_size, PAGE_SIZE - 1);
return kaddr;
} }
int page_readlink(struct dentry *dentry, char __user *buffer, int buflen) int page_readlink(struct dentry *dentry, char __user *buffer, int buflen)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment