aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2013-10-29 19:06:04 +0000
committerWilly Tarreau <w@1wt.eu>2014-05-19 07:54:32 +0200
commit4b500c7ff030f35aa6f8badf2f243bc259021e39 (patch)
treeb91b4034fe616c0ab095566918d627af299f3553
parenta35f8f7b89f6c91bae8aa46507556de4185e9e7a (diff)
downloadlinux-linaro-stable-4b500c7ff030f35aa6f8badf2f243bc259021e39.tar.gz
uml: check length in exitcode_proc_write()
commit 201f99f170df14ba52ea4c52847779042b7a623b upstream We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>
-rw-r--r--arch/um/kernel/exitcode.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 6540d2c9fbb7..ce057afb6218 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -42,9 +42,11 @@ static int write_proc_exitcode(struct file *file, const char __user *buffer,
unsigned long count, void *data)
{
char *end, buf[sizeof("nnnnn\0")];
+ size_t size;
int tmp;
- if (copy_from_user(buf, buffer, count))
+ size = min(count, sizeof(buf));
+ if (copy_from_user(buf, buffer, size))
return -EFAULT;
tmp = simple_strtol(buf, &end, 0);