Skip to content

Commit

Permalink
Prevent freeing uninitialized pointer in compat_do_readv_writev
Browse files Browse the repository at this point in the history 
In 32-bit compatibility mode, the error handling for
compat_do_readv_writev() may free an uninitialized pointer, potentially
leading to all sorts of ugly memory corruption.  This is reliably
triggerable by unprivileged users by invoking the readv()/writev()
syscalls with an invalid iovec pointer.  The below patch fixes this to
emulate the non-compat version.

Introduced by commit b837336 ("compat: factor out
compat_rw_copy_check_uvector from compat_do_readv_writev")

Signed-off-by: Dan Rosenberg <[email protected]>
Cc: [email protected] (2.6.35)
Cc: Al Viro <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@torvalds
Dan Rosenberg authored and torvalds committed Sep 23, 2010
1 parent c79bd89 commit 767b68e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion fs/compat.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1153,7 +1153,7 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
{
compat_ssize_t tot_len;
struct iovec iovstack[UIO_FASTIOV];
struct iovec *iov;
struct iovec *iov = iovstack;
ssize_t ret;
io_fn_t fn;
iov_fn_t fnv;
Expand Down

0 comments on commit 767b68e

Please sign in to comment.