Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

uml: check length in exitcode_proc_write()

Browse source 
commit 201f99f170 upstream.

We don't cap the size of buffer from the user so we could write past the
end of the array here.  Only root can write to this file.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter 2013-10-29 22:06:04 +03:00 committed by Greg Kroah-Hartman
parent 8c373c185f
commit cc51af9329
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
arch/um/kernel/exitcode.c
View file

@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos) const char __user *buffer, size_t count, loff_t *pos)
{ {
char *end, buf[sizeof("nnnnn\0")]; char *end, buf[sizeof("nnnnn\0")];
size_t size;
int tmp; int tmp;
if (copy_from_user(buf, buffer, count)) size = min(count, sizeof(buf));
if (copy_from_user(buf, buffer, size))
return -EFAULT; return -EFAULT;
tmp = simple_strtol(buf, &end, 0); tmp = simple_strtol(buf, &end, 0);