diff options
author | Hammer_Tsao <Hammer_Tsao@asus.com> | 2016-07-19 16:02:05 +0800 |
---|---|---|
committer | Carol_Jiang <carol_jiang@asus.com> | 2016-07-19 18:07:00 +0800 |
commit | 11949c61ddb9dca01913b955bf708a0f3f0dd038 (patch) | |
tree | 3d051eec6affb4696a4ca457d0fa753ec22e8f1f | |
parent | 26a8760be0e4cbbb2046a3f30bc10c0fc5ce4012 (diff) |
anthias: security patch: CVE-2016-3775android-wear-6.0.1_r0.51
ANDROID-28588279
Change-Id: Icd0dca9b8481a4de8ce597cb3ae45ceb109e1acb
Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/244392
Reviewed-by: Hammer_Tsao <Hammer_Tsao@asus.com>
Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
Tested-by: Carol_Jiang <carol_jiang@asus.com>
-rwxr-xr-x[-rw-r--r--] | fs/aio.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/fs/aio.c b/fs/aio.c index ebd06fd0de89..032b4d16eea8 100644..100755 --- a/fs/aio.c +++ b/fs/aio.c @@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat) static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb) { - if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes))) - return -EFAULT; + size_t len = kiocb->ki_nbytes; + + if (len > MAX_RW_COUNT) + len = MAX_RW_COUNT; + + if (unlikely(!access_ok(!rw, kiocb->ki_buf, len))) + return -EFAULT; kiocb->ki_iovec = &kiocb->ki_inline_vec; kiocb->ki_iovec->iov_base = kiocb->ki_buf; - kiocb->ki_iovec->iov_len = kiocb->ki_nbytes; + kiocb->ki_iovec->iov_len = len; kiocb->ki_nr_segs = 1; return 0; } |