diff options
author | Fabian Frederick <fabf@skynet.be> | 2020-05-12 20:19:21 +0200 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2020-05-13 17:16:57 +0200 |
commit | 5e23663b49e1e8ee6b805356259e3062edac5e2b (patch) | |
tree | 8ef30910ee1066193afa821953930f1e79e1b6fb /fs/notify | |
parent | 5a449099b9d5b0a1ac23c1cdbda4bfbaf4b27076 (diff) | |
download | lwn-5e23663b49e1e8ee6b805356259e3062edac5e2b.tar.gz lwn-5e23663b49e1e8ee6b805356259e3062edac5e2b.zip |
fanotify: don't write with size under sizeof(response)
fanotify_write() only aligned copy_from_user size to sizeof(response)
for higher values. This patch avoids all values below as suggested
by Amir Goldstein and set to response size unconditionally.
Link: https://lore.kernel.org/r/20200512181921.405973-1-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/notify')
-rw-r--r-- | fs/notify/fanotify/fanotify_user.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c index 02a314acc757..63b5dffdca9e 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -487,8 +487,10 @@ static ssize_t fanotify_write(struct file *file, const char __user *buf, size_t group = file->private_data; - if (count > sizeof(response)) - count = sizeof(response); + if (count < sizeof(response)) + return -EINVAL; + + count = sizeof(response); pr_debug("%s: group=%p count=%zu\n", __func__, group, count); |