uml: check length in exitcode_proc_write()

commit 201f99f1 upstream We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>

uml: check length in exitcode_proc_write()
commit 201f99f1 upstream We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>
4b500c7f · Dan Carpenter · Willy Tarreau · a35f8f7b · 4b500c7f
Commit 4b500c7f authored Oct 29, 2013 by Dan Carpenter Committed by Willy Tarreau May 19, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

arch/um/kernel/exitcode.c arch/um/kernel/exitcode.c +3 -1

No files found.
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -42,9 +42,11 @@ static int write_proc_exitcode(struct file *file, const char __user *buffer,
 			       unsigned long count, void *data)
 {
 	char *end, buf[sizeof("nnnnn\0")];
+	size_t size;
 	int tmp;

-	if (copy_from_user(buf, buffer, count))
+	size = min(count, sizeof(buf));
+	if (copy_from_user(buf, buffer, size))
 		return -EFAULT;

 	tmp = simple_strtol(buf, &end, 0);