[PATCH 3.18 039/185] proc: fix /proc/*/map_files lookup

3.18-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)

[PATCH 3.18 039/185] proc: fix /proc/*/map_files lookup

3.18-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is

[PATCH 4.4 063/268] proc: fix /proc/*/map_files lookup

4.4-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)

[PATCH 4.4 063/268] proc: fix /proc/*/map_files lookup

4.4-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is

[PATCH 4.9 090/329] proc: fix /proc/*/map_files lookup

4.9-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)

[PATCH 4.9 090/329] proc: fix /proc/*/map_files lookup

4.9-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is

[PATCH 4.14 144/183] proc: fix /proc/*/map_files lookup

4.14-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)

[PATCH 4.14 144/183] proc: fix /proc/*/map_files lookup

4.14-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is

[PATCH AUTOSEL for 4.15 157/189] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did

[PATCH AUTOSEL for 4.15 157/189] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It

[PATCH AUTOSEL for 4.14 133/161] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did

[PATCH AUTOSEL for 4.14 133/161] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It

[PATCH AUTOSEL for 4.9 279/293] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did

[PATCH AUTOSEL for 4.9 279/293] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It

[PATCH AUTOSEL for 4.4 153/162] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did

[PATCH AUTOSEL for 4.4 153/162] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It

[PATCH AUTOSEL for 3.18 094/101] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did

[PATCH AUTOSEL for 3.18 094/101] proc: fix /proc/*/map_files lookup

From: Alexey Dobriyan [ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Sun, Mar 04, 2018 at 12:51:30AM +0300, Alexey Dobriyan wrote: > I totally forgot that _parse_integer() accepts arbitrary amount of > leading zeroes leading to the following lookups: > > OK > # readlink /proc/1/map_files/56427ecba000-56427eddc000 > /lib/systemd/systemd

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Sun, Mar 04, 2018 at 12:51:30AM +0300, Alexey Dobriyan wrote: > I totally forgot that _parse_integer() accepts arbitrary amount of > leading zeroes leading to the following lookups: > > OK > # readlink /proc/1/map_files/56427ecba000-56427eddc000 > /lib/systemd/systemd

[PATCH v2] proc: fix /proc/*/map_files lookup some more

I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following lookups: OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink

[PATCH v2] proc: fix /proc/*/map_files lookup some more

I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following lookups: OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Wed, 21 Feb 2018 22:53:40 +0300 Alexey Dobriyan wrote: > I totally forgot that _parse_integer() accepts arbitrary amount of > leading zeroes leading to the following: > > OK > # readlink /proc/1/map_files/56427ecba000-56427eddc000 >

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Wed, 21 Feb 2018 22:53:40 +0300 Alexey Dobriyan wrote: > I totally forgot that _parse_integer() accepts arbitrary amount of > leading zeroes leading to the following: > > OK > # readlink /proc/1/map_files/56427ecba000-56427eddc000 > /lib/systemd/systemd > >

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Wed, Feb 21, 2018 at 12:04:03PM -0800, Andrew Morton wrote: > On Wed, 21 Feb 2018 22:53:40 +0300 Alexey Dobriyan > wrote: > > > I totally forgot that _parse_integer() accepts arbitrary amount of > > leading zeroes leading to the following: > > > > OK > >

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Wed, Feb 21, 2018 at 12:04:03PM -0800, Andrew Morton wrote: > On Wed, 21 Feb 2018 22:53:40 +0300 Alexey Dobriyan > wrote: > > > I totally forgot that _parse_integer() accepts arbitrary amount of > > leading zeroes leading to the following: > > > > OK > > # readlink

Re: [PATCH] proc: fix /proc/*/map_files lookup some more

On Wed, Feb 21, 2018 at 09:44:11PM +0300, Alexey Dobriyan wrote: > + len = strlen(str); > + if (len > 1 && *str == '0') > + return -EINVAL; if (s[0] == '0' && s[1]) please...

Re: [PATCH] proc: fix /proc/*/map_files lookup some more

On Wed, Feb 21, 2018 at 09:44:11PM +0300, Alexey Dobriyan wrote: > + len = strlen(str); > + if (len > 1 && *str == '0') > + return -EINVAL; if (s[0] == '0' && s[1]) please...

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Wed, Feb 21, 2018 at 12:04:03PM -0800, Andrew Morton wrote: > > I don't know this code and I'm all confused. > > - why is the code designed to accept addresses of "0"? It was never designed to accept addresses of 0, it is rather a side effect of using sscanf in first place. The address

Re: [PATCH v2] proc: fix /proc/*/map_files lookup some more

On Wed, Feb 21, 2018 at 12:04:03PM -0800, Andrew Morton wrote: > > I don't know this code and I'm all confused. > > - why is the code designed to accept addresses of "0"? It was never designed to accept addresses of 0, it is rather a side effect of using sscanf in first place. The address

[PATCH v2] proc: fix /proc/*/map_files lookup some more

I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following: OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink

[PATCH v2] proc: fix /proc/*/map_files lookup some more

I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following: OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink

[PATCH] proc: fix /proc/*/map_files lookup some more

I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following: OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink

[PATCH] proc: fix /proc/*/map_files lookup some more

I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following: OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink

Re: proc: fix /proc/*/map_files lookup

On Wed, Nov 29, 2017 at 02:56:03PM -0800, Andrew Morton wrote: > On Mon, 27 Nov 2017 21:29:25 -0800 Andrei Vagin wrote: > > > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: > > > Current code does: > > > > > > if (sscanf(dentry->d_name.name, "%lx-%lx",

Re: proc: fix /proc/*/map_files lookup

On Wed, Nov 29, 2017 at 02:56:03PM -0800, Andrew Morton wrote: > On Mon, 27 Nov 2017 21:29:25 -0800 Andrei Vagin wrote: > > > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: > > > Current code does: > > > > > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > >

Re: proc: fix /proc/*/map_files lookup

On Mon, 27 Nov 2017 21:29:25 -0800 Andrei Vagin wrote: > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: > > Current code does: > > > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > > > > However sscanf() is broken garbage. > > > >

Re: proc: fix /proc/*/map_files lookup

On Mon, 27 Nov 2017 21:29:25 -0800 Andrei Vagin wrote: > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: > > Current code does: > > > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > > > > However sscanf() is broken garbage. > > > > It silently accepts

Re: proc: fix /proc/*/map_files lookup

On 11/28/17, Andrei Vagin wrote: > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: >> Current code does: >> >> if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) >> >> However sscanf() is broken garbage. >> >> It silently accepts whitespace

Re: proc: fix /proc/*/map_files lookup

On 11/28/17, Andrei Vagin wrote: > On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: >> Current code does: >> >> if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) >> >> However sscanf() is broken garbage. >> >> It silently accepts whitespace between format

Re: proc: fix /proc/*/map_files lookup

On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: > Current code does: > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > > However sscanf() is broken garbage. > > It silently accepts whitespace between format specifiers > (did you know that?). > > It

Re: proc: fix /proc/*/map_files lookup

On Tue, Nov 21, 2017 at 12:27:06AM +0300, Alexey Dobriyan wrote: > Current code does: > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > > However sscanf() is broken garbage. > > It silently accepts whitespace between format specifiers > (did you know that?). > > It

Re: [PATCH] proc: fix /proc/*/map_files lookup

On Mon, Nov 20, 2017 at 02:16:14PM -0800, Andrew Morton wrote: > On Tue, 21 Nov 2017 00:27:06 +0300 Alexey Dobriyan > wrote: > > very broken > > # readlink > > '/proc/1/map_files/155a23af39000-55a23b05b000' > > /lib/systemd/systemd > > > >

Re: [PATCH] proc: fix /proc/*/map_files lookup

On Mon, Nov 20, 2017 at 02:16:14PM -0800, Andrew Morton wrote: > On Tue, 21 Nov 2017 00:27:06 +0300 Alexey Dobriyan > wrote: > > very broken > > # readlink > > '/proc/1/map_files/155a23af39000-55a23b05b000' > > /lib/systemd/systemd > > > > Signed-off-by: Alexey

Re: [PATCH] proc: fix /proc/*/map_files lookup

On Tue, 21 Nov 2017 00:27:06 +0300 Alexey Dobriyan wrote: > Current code does: > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > > However sscanf() is broken garbage. > > It silently accepts whitespace between format specifiers > (did you know

Re: [PATCH] proc: fix /proc/*/map_files lookup

On Tue, 21 Nov 2017 00:27:06 +0300 Alexey Dobriyan wrote: > Current code does: > > if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) > > However sscanf() is broken garbage. > > It silently accepts whitespace between format specifiers > (did you know that?). > > It silently

[PATCH] proc: fix /proc/*/map_files lookup

Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It silently accepts valid strings which result in integer overflow. Do not use sscanf()

[PATCH] proc: fix /proc/*/map_files lookup

Current code does: if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) However sscanf() is broken garbage. It silently accepts whitespace between format specifiers (did you know that?). It silently accepts valid strings which result in integer overflow. Do not use sscanf()