diff options
| author | Jan Kara <jack@suse.cz> | 2015-06-02 17:10:28 +0200 |
|---|---|---|
| committer | Sasha Levin <sasha.levin@oracle.com> | 2015-06-09 14:31:43 -0400 |
| commit | bfad74288efce9d33b26ea2a694406d4e0727a20 (patch) | |
| tree | bbe35b8d1c1e5202c412333df9e4d7553715a5da /lib | |
| parent | ab673124ce097c0eb9a9e6691ebd41eb0d0225ba (diff) | |
| download | lwn-bfad74288efce9d33b26ea2a694406d4e0727a20.tar.gz lwn-bfad74288efce9d33b26ea2a694406d4e0727a20.zip | |
lib: Fix strnlen_user() to not touch memory after specified maximum
[ Upstream commit f18c34e483ff6b1d9866472221e4015b3a4698e4 ]
If the specified maximum length of the string is a multiple of unsigned
long, we would load one long behind the specified maximum. If that
happens to be in a next page, we can hit a page fault although we were
not expected to.
Fix the off-by-one bug in the test whether we are at the end of the
specified range.
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/strnlen_user.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c index a28df5206d95..11649615c505 100644 --- a/lib/strnlen_user.c +++ b/lib/strnlen_user.c @@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, return res + find_zero(data) + 1 - align; } res += sizeof(unsigned long); - if (unlikely(max < sizeof(unsigned long))) + /* We already handled 'unsigned long' bytes. Did we do it all ? */ + if (unlikely(max <= sizeof(unsigned long))) break; max -= sizeof(unsigned long); if (unlikely(__get_user(c,(unsigned long __user *)(src+res)))) |