lib: Fix strnlen_user() to not touch memory after specified maximum

commit f18c34e483ff6b1d9866472221e4015b3a4698e4 upstream. If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jan Kara <jack@suse.cz> 2015-06-02 17:10:28 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-06-05 23:19:54 -0700
commit: 73f668104f25d364f758e8c6738c2a1826d2f0fc (patch)
tree: 2bdd39a64fab484ca22b66d2395a35eb4179e20c
parent: e9aba80e289b3491597422f1bf843be5e8099a2d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
index a28df5206d95..11649615c505 100644
--- a/lib/strnlen_user.c
+++ b/lib/strnlen_user.c
@@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
 			return res + find_zero(data) + 1 - align;
 		}
 		res += sizeof(unsigned long);
-		if (unlikely(max < sizeof(unsigned long)))
+		/* We already handled 'unsigned long' bytes. Did we do it all ? */
+		if (unlikely(max <= sizeof(unsigned long)))
 			break;
 		max -= sizeof(unsigned long);
 		if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))
author	Jan Kara <jack@suse.cz>	2015-06-02 17:10:28 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-06-05 23:19:54 -0700
commit	73f668104f25d364f758e8c6738c2a1826d2f0fc (patch)
tree	2bdd39a64fab484ca22b66d2395a35eb4179e20c
parent	e9aba80e289b3491597422f1bf843be5e8099a2d (diff)