| From 201f99f170df14ba52ea4c52847779042b7a623b Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 29 Oct 2013 22:06:04 +0300 |
| Subject: uml: check length in exitcode_proc_write() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 201f99f170df14ba52ea4c52847779042b7a623b upstream. |
| |
| We don't cap the size of buffer from the user so we could write past the |
| end of the array here. Only root can write to this file. |
| |
| Reported-by: Nico Golde <nico@ngolde.de> |
| Reported-by: Fabian Yamaguchi <fabs@goesec.de> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/um/kernel/exitcode.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/arch/um/kernel/exitcode.c |
| +++ b/arch/um/kernel/exitcode.c |
| @@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struc |
| const char __user *buffer, size_t count, loff_t *pos) |
| { |
| char *end, buf[sizeof("nnnnn\0")]; |
| + size_t size; |
| int tmp; |
| |
| - if (copy_from_user(buf, buffer, count)) |
| + size = min(count, sizeof(buf)); |
| + if (copy_from_user(buf, buffer, size)) |
| return -EFAULT; |
| |
| tmp = simple_strtol(buf, &end, 0); |