diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-10-29 19:06:04 +0000 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2014-05-19 07:54:32 +0200 |
commit | 4b500c7ff030f35aa6f8badf2f243bc259021e39 (patch) | |
tree | b91b4034fe616c0ab095566918d627af299f3553 | |
parent | a35f8f7b89f6c91bae8aa46507556de4185e9e7a (diff) |
uml: check length in exitcode_proc_write()
commit 201f99f170df14ba52ea4c52847779042b7a623b upstream
We don't cap the size of buffer from the user so we could write past the
end of the array here. Only root can write to this file.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
-rw-r--r-- | arch/um/kernel/exitcode.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c index 6540d2c9fbb7..ce057afb6218 100644 --- a/arch/um/kernel/exitcode.c +++ b/arch/um/kernel/exitcode.c @@ -42,9 +42,11 @@ static int write_proc_exitcode(struct file *file, const char __user *buffer, unsigned long count, void *data) { char *end, buf[sizeof("nnnnn\0")]; + size_t size; int tmp; - if (copy_from_user(buf, buffer, count)) + size = min(count, sizeof(buf)); + if (copy_from_user(buf, buffer, size)) return -EFAULT; tmp = simple_strtol(buf, &end, 0); |