| From b996b1b8420756280eaa8501cfffbdc525aa7ce4 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 30 Jun 2021 18:54:38 -0700 |
| Subject: proc: Avoid mixing integer types in mem_rw() |
| |
| From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> |
| |
| [ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ] |
| |
| Use size_t when capping the count argument received by mem_rw(). Since |
| count is size_t, using min_t(int, ...) can lead to a negative value |
| that will later be passed to access_remote_vm(), which can cause |
| unexpected behavior. |
| |
| Since we are capping the value to at maximum PAGE_SIZE, the conversion |
| from size_t to int when passing it to access_remote_vm() as "len" |
| shouldn't be a problem. |
| |
| Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com |
| Reviewed-by: David Disseldorp <ddiss@suse.de> |
| Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> |
| Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> |
| Cc: Alexey Dobriyan <adobriyan@gmail.com> |
| Cc: Souza Cascardo <cascardo@canonical.com> |
| Cc: Christian Brauner <christian.brauner@ubuntu.com> |
| Cc: Michel Lespinasse <walken@google.com> |
| Cc: Helge Deller <deller@gmx.de> |
| Cc: Oleg Nesterov <oleg@redhat.com> |
| Cc: Lorenzo Stoakes <lstoakes@gmail.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/proc/base.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/fs/proc/base.c b/fs/proc/base.c |
| index 317a0762fc5f..e3f10c110b74 100644 |
| --- a/fs/proc/base.c |
| +++ b/fs/proc/base.c |
| @@ -835,7 +835,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf, |
| flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); |
| |
| while (count > 0) { |
| - int this_len = min_t(int, count, PAGE_SIZE); |
| + size_t this_len = min_t(size_t, count, PAGE_SIZE); |
| |
| if (write && copy_from_user(page, buf, this_len)) { |
| copied = -EFAULT; |
| -- |
| 2.30.2 |
| |