kdb: Fix overlap in buffers with strcpy
authorJason Wessel <jason.wessel@windriver.com>
Sun, 3 Feb 2013 15:32:28 +0000 (09:32 -0600)
committerJason Wessel <jason.wessel@windriver.com>
Sat, 2 Mar 2013 14:52:18 +0000 (08:52 -0600)
Maxime reported that strcpy(s->usage, s->usage+1) has no definitive
guarantee that it will work on all archs the same way when you have
overlapping memory.  The fix is simple for the kdb code because we
still have the original string memory in the function scope, so we
just have to use that as the argument instead.

Reported-by: Maxime Villard <rustyBSD@gmx.fr>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
kernel/debug/kdb/kdb_main.c

index 437b74ddca81e0d2bd1d5c5edd4f6397552167d6..de22c8cc6c30c57ff1f5a4c257bb47767155bd3d 100644 (file)
@@ -683,32 +683,44 @@ static int kdb_defcmd(int argc, const char **argv)
                return KDB_ARGCOUNT;
        defcmd_set = kmalloc((defcmd_set_count + 1) * sizeof(*defcmd_set),
                             GFP_KDB);
-       if (!defcmd_set) {
-               kdb_printf("Could not allocate new defcmd_set entry for %s\n",
-                          argv[1]);
-               defcmd_set = save_defcmd_set;
-               return KDB_NOTIMP;
-       }
+       if (!defcmd_set)
+               goto fail_defcmd;
        memcpy(defcmd_set, save_defcmd_set,
               defcmd_set_count * sizeof(*defcmd_set));
-       kfree(save_defcmd_set);
        s = defcmd_set + defcmd_set_count;
        memset(s, 0, sizeof(*s));
        s->usable = 1;
        s->name = kdb_strdup(argv[1], GFP_KDB);
+       if (!s->name)
+               goto fail_name;
        s->usage = kdb_strdup(argv[2], GFP_KDB);
+       if (!s->usage)
+               goto fail_usage;
        s->help = kdb_strdup(argv[3], GFP_KDB);
+       if (!s->help)
+               goto fail_help;
        if (s->usage[0] == '"') {
-               strcpy(s->usage, s->usage+1);
+               strcpy(s->usage, argv[2]+1);
                s->usage[strlen(s->usage)-1] = '\0';
        }
        if (s->help[0] == '"') {
-               strcpy(s->help, s->help+1);
+               strcpy(s->help, argv[3]+1);
                s->help[strlen(s->help)-1] = '\0';
        }
        ++defcmd_set_count;
        defcmd_in_progress = 1;
+       kfree(save_defcmd_set);
        return 0;
+fail_help:
+       kfree(s->usage);
+fail_usage:
+       kfree(s->name);
+fail_name:
+       kfree(defcmd_set);
+fail_defcmd:
+       kdb_printf("Could not allocate new defcmd_set entry for %s\n", argv[1]);
+       defcmd_set = save_defcmd_set;
+       return KDB_NOTIMP;
 }
 
 /*