uml: check length in exitcode_proc_write()

commit 201f99f170df14ba52ea4c52847779042b7a623b upstream We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-10-29 19:06:04 +0000
committer: Stefan Bader <stefan.bader@canonical.com> 2014-05-20 16:35:16 +0200
commit: 42d0caddcd7335460e75ea904a96a94cf0edb0f1 (patch)
tree: c32264c1cd5d41d91ec8c51dccd8874e2b19d87d
parent: 4fd9911b8ca1b81eb3e18fd83e6d36710b11f9e7 (diff)
download: linux-2.6.32.y-drm33.z-42d0caddcd7335460e75ea904a96a94cf0edb0f1.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 6540d2c9fbb76f..ce057afb621834 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -42,9 +42,11 @@ static int write_proc_exitcode(struct file *file, const char __user *buffer,
 			       unsigned long count, void *data)
 {
 	char *end, buf[sizeof("nnnnn\0")];
+	size_t size;
 	int tmp;
 
-	if (copy_from_user(buf, buffer, count))
+	size = min(count, sizeof(buf));
+	if (copy_from_user(buf, buffer, size))
 		return -EFAULT;
 
 	tmp = simple_strtol(buf, &end, 0);
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-10-29 19:06:04 +0000
committer	Stefan Bader <stefan.bader@canonical.com>	2014-05-20 16:35:16 +0200
commit	42d0caddcd7335460e75ea904a96a94cf0edb0f1 (patch)
tree	c32264c1cd5d41d91ec8c51dccd8874e2b19d87d
parent	4fd9911b8ca1b81eb3e18fd83e6d36710b11f9e7 (diff)
download	linux-2.6.32.y-drm33.z-42d0caddcd7335460e75ea904a96a94cf0edb0f1.tar.gz