elevator_get() not check the name length, if the name length > sizeof(elv),
elv will miss the '\0'. And elv buffer will be replace "-iosched" as something
like aaaaaaaaa, then call request_module() can load an not trust module.

Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>

---
 block/elevator.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/block/elevator.c b/block/elevator.c
index df75676..76e3702 100644
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name)
 
 		spin_unlock(&elv_list_lock);
 
-		sprintf(elv, "%s-iosched", name);
+		snprintf(elv, sizeof(elv), "%s-iosched", name);
 
 		request_module("%s", elv);
 		spin_lock(&elv_list_lock);
-- 
1.6.5.3

--

[ message continues ]

Thanks, good catch! Applied.


-- 
Jens Axboe

--

[ message continues ]

elv is defined as char elv[ELV_NAME_MAX + strlen("-iosched")];
so if name length > sizeof(elv), the name length must already bigger
than ELV_NAME_MAX

elevator_get is used in elevator_init, so if elevator_init is passing
a super long name, why not just return -EINVAL?
In this patch, if we pass a super long name, we're still trying to cut
it and request_module an invalid name, right?
--

[ message continues ]