| From stable Mon Sep 17 00:00:00 2001 |
| From: Chris Wright <chrisw@sous-sol.org> |
| Subject: cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875) |
| |
| Use simple_read_from_buffer to avoid possible underflow in |
| cpuset_tasks_read which could allow user to read kernel memory. |
| |
| Note: This is fixed upstream in 85badbdf5120d246ce2bb3f1a7689a805f9c9006 |
| |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| --- |
| kernel/cpuset.c | 7 +------ |
| 1 file changed, 1 insertion(+), 6 deletions(-) |
| |
| --- linux-2.6.21.3.orig/kernel/cpuset.c |
| +++ linux-2.6.21.3/kernel/cpuset.c |
| @@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct |
| { |
| struct ctr_struct *ctr = file->private_data; |
| |
| - if (*ppos + nbytes > ctr->bufsz) |
| - nbytes = ctr->bufsz - *ppos; |
| - if (copy_to_user(buf, ctr->buf + *ppos, nbytes)) |
| - return -EFAULT; |
| - *ppos += nbytes; |
| - return nbytes; |
| + return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz); |
| } |
| |
| static int cpuset_tasks_release(struct inode *unused_inode, struct file *file) |
