Merge tag 'v4.14.52' into linux-linaro-lsk-v4.14lsk-v4.14-18.06

This is the 4.14.52 stable release
author: Mark Brown <broonie@kernel.org> 2018-06-27 14:26:12 +0100
committer: Mark Brown <broonie@kernel.org> 2018-06-27 14:26:12 +0100
commit: 1ce34dea91ae86bb18f493f72292df1bf6f66df7 (patch)
tree: a9655fcdd65c2068cc04ffe3562a9c710dfa2145 /fs/binfmt_misc.c
parent: b0e4376b34cab1cbbd7ed399a1df787890336837 (diff)
parent: a26899e0baa4de07caf97f5e4d7298240e98fd0e (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index a7c5a9861bef..8311e8ed76de 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -387,8 +387,13 @@ static Node *create_entry(const char __user *buffer, size_t count)
 		s = strchr(p, del);
 		if (!s)
 			goto einval;
-		*s++ = '\0';
-		e->offset = simple_strtoul(p, &p, 10);
+		*s = '\0';
+		if (p != s) {
+			int r = kstrtoint(p, 10, &e->offset);
+			if (r != 0 || e->offset < 0)
+				goto einval;
+		}
+		p = s;
 		if (*p++)
 			goto einval;
 		pr_debug("register: offset: %#x\n", e->offset);
@@ -428,7 +433,8 @@ static Node *create_entry(const char __user *buffer, size_t count)
 		if (e->mask &&
 		    string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
 			goto einval;
-		if (e->size + e->offset > BINPRM_BUF_SIZE)
+		if (e->size > BINPRM_BUF_SIZE ||
+		    BINPRM_BUF_SIZE - e->size < e->offset)
 			goto einval;
 		pr_debug("register: magic/mask length: %i\n", e->size);
 		if (USE_DEBUG) {
author	Mark Brown <broonie@kernel.org>	2018-06-27 14:26:12 +0100
committer	Mark Brown <broonie@kernel.org>	2018-06-27 14:26:12 +0100
commit	1ce34dea91ae86bb18f493f72292df1bf6f66df7 (patch)
tree	a9655fcdd65c2068cc04ffe3562a9c710dfa2145 /fs/binfmt_misc.c
parent	b0e4376b34cab1cbbd7ed399a1df787890336837 (diff)
parent	a26899e0baa4de07caf97f5e4d7298240e98fd0e (diff)