diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-10-29 23:06:04 +0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-10-30 23:24:49 +0400 |
commit | 201f99f170df14ba52ea4c52847779042b7a623b (patch) | |
tree | d05f085f110325cf7e8c2bdda642b561225989ae | |
parent | 7314e613d5ff9f0934f7a0f74ed7973b903315d1 (diff) | |
download | linux-201f99f170df14ba52ea4c52847779042b7a623b.tar.xz |
uml: check length in exitcode_proc_write()
We don't cap the size of buffer from the user so we could write past the
end of the array here. Only root can write to this file.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | arch/um/kernel/exitcode.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c index 829df49dee99..41ebbfebb333 100644 --- a/arch/um/kernel/exitcode.c +++ b/arch/um/kernel/exitcode.c @@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *pos) { char *end, buf[sizeof("nnnnn\0")]; + size_t size; int tmp; - if (copy_from_user(buf, buffer, count)) + size = min(count, sizeof(buf)); + if (copy_from_user(buf, buffer, size)) return -EFAULT; tmp = simple_strtol(buf, &end, 0); |