summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2015-06-02 18:10:28 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2015-06-02 20:28:52 +0300
commitf18c34e483ff6b1d9866472221e4015b3a4698e4 (patch)
tree55542172dd992db5172eb64078ce01cac7db1a7b
parentc46a024ea5eb0165114dbbc8c82c29b7bcf66e71 (diff)
downloadlinux-f18c34e483ff6b1d9866472221e4015b3a4698e4.tar.xz
lib: Fix strnlen_user() to not touch memory after specified maximum
If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara <jack@suse.cz> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--lib/strnlen_user.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
index a28df5206d95..11649615c505 100644
--- a/lib/strnlen_user.c
+++ b/lib/strnlen_user.c
@@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
return res + find_zero(data) + 1 - align;
}
res += sizeof(unsigned long);
- if (unlikely(max < sizeof(unsigned long)))
+ /* We already handled 'unsigned long' bytes. Did we do it all ? */
+ if (unlikely(max <= sizeof(unsigned long)))
break;
max -= sizeof(unsigned long);
if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))