| From f18c34e483ff6b1d9866472221e4015b3a4698e4 Mon Sep 17 00:00:00 2001 |
| From: Jan Kara <jack@suse.cz> |
| Date: Tue, 2 Jun 2015 17:10:28 +0200 |
| Subject: lib: Fix strnlen_user() to not touch memory after specified maximum |
| |
| From: Jan Kara <jack@suse.cz> |
| |
| commit f18c34e483ff6b1d9866472221e4015b3a4698e4 upstream. |
| |
| If the specified maximum length of the string is a multiple of unsigned |
| long, we would load one long behind the specified maximum. If that |
| happens to be in a next page, we can hit a page fault although we were |
| not expected to. |
| |
| Fix the off-by-one bug in the test whether we are at the end of the |
| specified range. |
| |
| Signed-off-by: Jan Kara <jack@suse.cz> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| lib/strnlen_user.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/lib/strnlen_user.c |
| +++ b/lib/strnlen_user.c |
| @@ -57,7 +57,8 @@ static inline long do_strnlen_user(const |
| return res + find_zero(data) + 1 - align; |
| } |
| res += sizeof(unsigned long); |
| - if (unlikely(max < sizeof(unsigned long))) |
| + /* We already handled 'unsigned long' bytes. Did we do it all ? */ |
| + if (unlikely(max <= sizeof(unsigned long))) |
| break; |
| max -= sizeof(unsigned long); |
| if (unlikely(__get_user(c,(unsigned long __user *)(src+res)))) |