uml: check length in exitcode_proc_write()

We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: N Nico Golde <nico@ngolde.de> Reported-by: N Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

uml: check length in exitcode_proc_write()
We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: N Nico Golde <nico@ngolde.de> Reported-by: N Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
201f99f1 · Dan Carpenter · Linus Torvalds · 7314e613 · 201f99f1
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

arch/um/kernel/exitcode.c arch/um/kernel/exitcode.c +3 -1

未找到文件。
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file,
 		const char __user *buffer, size_t count, loff_t *pos)
 {
 	char *end, buf[sizeof("nnnnn\0")];
+	size_t size;
 	int tmp;

-	if (copy_from_user(buf, buffer, count))
+	size = min(count, sizeof(buf));
+	if (copy_from_user(buf, buffer, size))
 		return -EFAULT;

 	tmp = simple_strtol(buf, &end, 0);