lib: Fix strnlen_user() to not touch memory after specified maximum
commit f18c34e483ff6b1d9866472221e4015b3a4698e4 upstream. If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
e9aba80e28
commit
73f668104f
|
@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
|
||||||
return res + find_zero(data) + 1 - align;
|
return res + find_zero(data) + 1 - align;
|
||||||
}
|
}
|
||||||
res += sizeof(unsigned long);
|
res += sizeof(unsigned long);
|
||||||
if (unlikely(max < sizeof(unsigned long)))
|
/* We already handled 'unsigned long' bytes. Did we do it all ? */
|
||||||
|
if (unlikely(max <= sizeof(unsigned long)))
|
||||||
break;
|
break;
|
||||||
max -= sizeof(unsigned long);
|
max -= sizeof(unsigned long);
|
||||||
if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))
|
if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))
|
||||||
|
|
Loading…
Reference in New Issue