From owner-svn-src-all@FreeBSD.ORG Sun Jan 4 18:06:21 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF2AC106566C for ; Sun, 4 Jan 2009 18:06:21 +0000 (UTC) (envelope-from christoph.mallon@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 4A91B8FC17 for ; Sun, 4 Jan 2009 18:06:21 +0000 (UTC) (envelope-from christoph.mallon@gmx.de) Received: (qmail invoked by alias); 04 Jan 2009 18:06:19 -0000 Received: from p54A3FD83.dip.t-dialin.net (EHLO tron.homeunix.org) [84.163.253.131] by mail.gmx.net (mp070) with SMTP; 04 Jan 2009 19:06:19 +0100 X-Authenticated: #1673122 X-Provags-ID: V01U2FsdGVkX19O6o0YditOnpQMvsek+gYaaGTybL0tUuVWMjV8ye NjFB54hJZAGyop Message-ID: <4960FA9A.1090509@gmx.de> Date: Sun, 04 Jan 2009 19:06:18 +0100 From: Christoph Mallon User-Agent: Thunderbird 2.0.0.19 (X11/20090103) MIME-Version: 1.0 To: "David E. O'Brien" References: <200812262254.mBQMsrbR052676@svn.freebsd.org> In-Reply-To: <200812262254.mBQMsrbR052676@svn.freebsd.org> Content-Type: multipart/mixed; boundary="------------040804020300050601020108" X-Y-GMX-Trusted: 0 X-FuHaFi: 0.49,0.46 Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r186504 - head/sbin/mount X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2009 18:06:22 -0000 This is a multi-part message in MIME format. --------------040804020300050601020108 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi David, I'm pretty sure $SUPERNATURAL_BEING_OF_YOUR_CHOICE killed a kitten for the ugly hack you added to mount. The moment you overflow a buffer, you are in no man's land and there's no escape. I appended a patch, which solves this issue once and for all: The argv array gets dynamically expanded, when its limit is reached. Please - for all kittens out there - commit this patch. Christoph David E. O'Brien schrieb: > Author: obrien > Date: Fri Dec 26 22:54:53 2008 > New Revision: 186504 > URL: http://svn.freebsd.org/changeset/base/186504 > > Log: > Make the sub-'argc' static to make it harder to overwrite thru a buffer > overflow. > > Modified: > head/sbin/mount/mount.c > > Modified: head/sbin/mount/mount.c > ============================================================================== > --- head/sbin/mount/mount.c Fri Dec 26 22:47:11 2008 (r186503) > +++ head/sbin/mount/mount.c Fri Dec 26 22:54:53 2008 (r186504) > @@ -503,9 +503,10 @@ int > mountfs(const char *vfstype, const char *spec, const char *name, int flags, > const char *options, const char *mntopts) > { > + static int argc; > char *argv[MAX_ARGS]; > struct statfs sf; > - int argc, i, ret; > + int i, ret; > char *optbuf, execname[PATH_MAX], mntpath[PATH_MAX]; > > /* resolve the mountpoint with realpath(3) */ > _______________________________________________ > svn-src-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/svn-src-all > To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" > --------------040804020300050601020108 Content-Type: text/plain; name="mount.diff" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="mount.diff" SW5kZXg6IG1vdW50LmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gbW91bnQuYwkoUmV2aXNpb24gMTg2 NzQwKQorKysgbW91bnQuYwkoQXJiZWl0c2tvcGllKQpAQCAtNjgsMTYgKzY4LDE3IEBACiAj ZGVmaW5lIE1PVU5UX01FVEFfT1BUSU9OX0ZTVEFCCQkiZnN0YWIiCiAjZGVmaW5lIE1PVU5U X01FVEFfT1BUSU9OX0NVUlJFTlQJImN1cnJlbnQiCiAKLSNkZWZpbmUJTUFYX0FSR1MJCQkx MDAKLQogaW50IGRlYnVnLCBmc3RhYl9zdHlsZSwgdmVyYm9zZTsKK3N0YXRpYyBjaGFyICoq bW50X2FyZ3Y7CitzdGF0aWMgaW50IG1udF9hcmd2X3NpemU7CitzdGF0aWMgaW50IG1udF9h cmdjOwogCiBjaGFyICAgKmNhdG9wdChjaGFyICosIGNvbnN0IGNoYXIgKik7CiBzdHJ1Y3Qg c3RhdGZzICpnZXRtbnRwdChjb25zdCBjaGFyICopOwogaW50CWhhc29wdChjb25zdCBjaGFy ICosIGNvbnN0IGNoYXIgKik7CiBpbnQJaXNtb3VudGVkKHN0cnVjdCBmc3RhYiAqLCBzdHJ1 Y3Qgc3RhdGZzICosIGludCk7CiBpbnQJaXNyZW1vdW50YWJsZShjb25zdCBjaGFyICopOwot dm9pZAltYW5nbGUoY2hhciAqLCBpbnQgKiwgY2hhciAqW10pOworc3RhdGljIHZvaWQJbWFu Z2xlKGNoYXIgKik7CiBjaGFyICAgKnVwZGF0ZV9vcHRpb25zKGNoYXIgKiwgY2hhciAqLCBp bnQpOwogaW50CW1vdW50ZnMoY29uc3QgY2hhciAqLCBjb25zdCBjaGFyICosIGNvbnN0IGNo YXIgKiwKIAkJCWludCwgY29uc3QgY2hhciAqLCBjb25zdCBjaGFyICopOwpAQCAtNDk5LDEy ICs1MDAsMjIgQEAKIAlyZXR1cm4gKGZvdW5kKTsKIH0KIAorc3RhdGljIHZvaWQKK2FwcGVu ZF9hcmd2KGNoYXIgKmFyZykKK3sKKwlpZiAobW50X2FyZ2MgPT0gbW50X2FyZ3Zfc2l6ZSkg eworCQltbnRfYXJndl9zaXplID0gbW50X2FyZ3Zfc2l6ZSA9PSAwID8gMTYgOiBtbnRfYXJn dl9zaXplICogMjsKKwkJbW50X2FyZ3YgPSByZWFsbG9jKG1udF9hcmd2LCBzaXplb2YoKm1u dF9hcmd2KSAqIG1udF9hcmd2X3NpemUpOworCQlpZiAobW50X2FyZ3YgPT0gTlVMTCkKKwkJ CWVycngoMSwgInJlYWxsb2MgZmFpbGVkIik7CisJfQorCW1udF9hcmd2W21udF9hcmdjKytd ID0gYXJnOworfQorCiBpbnQKIG1vdW50ZnMoY29uc3QgY2hhciAqdmZzdHlwZSwgY29uc3Qg Y2hhciAqc3BlYywgY29uc3QgY2hhciAqbmFtZSwgaW50IGZsYWdzLAogCWNvbnN0IGNoYXIg Km9wdGlvbnMsIGNvbnN0IGNoYXIgKm1udG9wdHMpCiB7Ci0Jc3RhdGljIGludCBhcmdjOwot CWNoYXIgKmFyZ3ZbTUFYX0FSR1NdOwogCXN0cnVjdCBzdGF0ZnMgc2Y7CiAJaW50IGksIHJl dDsKIAljaGFyICpvcHRidWYsIGV4ZWNuYW1lW1BBVEhfTUFYXSwgbW50cGF0aFtQQVRIX01B WF07CkBAIC01NDIsMzIgKzU1MywyNyBAQAogCS8qIENvbnN0cnVjdCB0aGUgbmFtZSBvZiB0 aGUgYXBwcm9wcmlhdGUgbW91bnQgY29tbWFuZCAqLwogCSh2b2lkKXNucHJpbnRmKGV4ZWNu YW1lLCBzaXplb2YoZXhlY25hbWUpLCAibW91bnRfJXMiLCB2ZnN0eXBlKTsKIAotCWFyZ2Mg PSAwOwotCWFyZ3ZbYXJnYysrXSA9IGV4ZWNuYW1lOwotCW1hbmdsZShvcHRidWYsICZhcmdj LCBhcmd2KTsKLQlhcmd2W2FyZ2MrK10gPSBzdHJkdXAoc3BlYyk7Ci0JYXJndlthcmdjKytd ID0gc3RyZHVwKG5hbWUpOwotCWFyZ3ZbYXJnY10gPSBOVUxMOworCWFwcGVuZF9hcmd2KGV4 ZWNuYW1lKTsKKwltYW5nbGUob3B0YnVmKTsKKwlhcHBlbmRfYXJndihzdHJkdXAoc3BlYykp OworCWFwcGVuZF9hcmd2KHN0cmR1cChuYW1lKSk7CisJYXBwZW5kX2FyZ3YoTlVMTCk7CiAK LQlpZiAoTUFYX0FSR1MgPD0gYXJnYyApCi0JCWVycngoMSwgIkNhbm5vdCBwcm9jZXNzIG1v cmUgdGhhbiAlZCBtb3VudCBhcmd1bWVudHMiLAotCQkgICAgTUFYX0FSR1MpOwotCiAJaWYg KGRlYnVnKSB7CiAJCWlmICh1c2VfbW91bnRwcm9nKHZmc3R5cGUpKQogCQkJcHJpbnRmKCJl eGVjOiBtb3VudF8lcyIsIHZmc3R5cGUpOwogCQllbHNlCiAJCQlwcmludGYoIm1vdW50IC10 ICVzIiwgdmZzdHlwZSk7Ci0JCWZvciAoaSA9IDE7IGkgPCBhcmdjOyBpKyspCi0JCQkodm9p ZClwcmludGYoIiAlcyIsIGFyZ3ZbaV0pOworCQlmb3IgKGkgPSAxOyBpIDwgbW50X2FyZ2M7 IGkrKykKKwkJCSh2b2lkKXByaW50ZigiICVzIiwgbW50X2FyZ3ZbaV0pOwogCQkodm9pZClw cmludGYoIlxuIik7CiAJCXJldHVybiAoMCk7CiAJfQogCiAJaWYgKHVzZV9tb3VudHByb2co dmZzdHlwZSkpIHsKLQkJcmV0ID0gZXhlY19tb3VudHByb2cobmFtZSwgZXhlY25hbWUsIGFy Z3YpOworCQlyZXQgPSBleGVjX21vdW50cHJvZyhuYW1lLCBleGVjbmFtZSwgbW50X2FyZ3Yp OwogCX0gZWxzZSB7Ci0JCXJldCA9IG1vdW50X2ZzKHZmc3R5cGUsIGFyZ2MsIGFyZ3YpOwor CQlyZXQgPSBtb3VudF9mcyh2ZnN0eXBlLCBtbnRfYXJnYywgbW50X2FyZ3YpOwogCX0KIAog CWZyZWUob3B0YnVmKTsKQEAgLTY2OSwxMyArNjc1LDExIEBACiAJcmV0dXJuIChjcCk7CiB9 CiAKLXZvaWQKLW1hbmdsZShjaGFyICpvcHRpb25zLCBpbnQgKmFyZ2NwLCBjaGFyICphcmd2 W10pCitzdGF0aWMgdm9pZAorbWFuZ2xlKGNoYXIgKm9wdGlvbnMpCiB7CiAJY2hhciAqcCwg KnM7Ci0JaW50IGFyZ2M7CiAKLQlhcmdjID0gKmFyZ2NwOwogCWZvciAocyA9IG9wdGlvbnM7 IChwID0gc3Ryc2VwKCZzLCAiLCIpKSAhPSBOVUxMOykKIAkJaWYgKCpwICE9ICdcMCcpIHsK IAkJCWlmIChzdHJjbXAocCwgIm5vYXV0byIpID09IDApIHsKQEAgLTcwNywxOSArNzExLDE3 IEBACiAJCQkgICAgc2l6ZW9mKGdyb3VwcXVvdGFlcSkgLSAxKSA9PSAwKSB7CiAJCQkJY29u dGludWU7CiAJCQl9IGVsc2UgaWYgKCpwID09ICctJykgewotCQkJCWFyZ3ZbYXJnYysrXSA9 IHA7CisJCQkJYXBwZW5kX2FyZ3YocCk7CiAJCQkJcCA9IHN0cmNocihwLCAnPScpOwogCQkJ CWlmIChwICE9IE5VTEwpIHsKIAkJCQkJKnAgPSAnXDAnOwotCQkJCQlhcmd2W2FyZ2MrK10g PSBwKzE7CisJCQkJCWFwcGVuZF9hcmd2KHAgKyAxKTsKIAkJCQl9CiAJCQl9IGVsc2Ugewot CQkJCWFyZ3ZbYXJnYysrXSA9IHN0cmR1cCgiLW8iKTsKLQkJCQlhcmd2W2FyZ2MrK10gPSBw OworCQkJCWFwcGVuZF9hcmd2KHN0cmR1cCgiLW8iKSk7CisJCQkJYXBwZW5kX2FyZ3YocCk7 CiAJCQl9CiAJCX0KLQotCSphcmdjcCA9IGFyZ2M7CiB9CiAKIAo= --------------040804020300050601020108--