Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b8e51a6a authored by Yihui ZENG's avatar Yihui ZENG Committed by Vasily Gorbik
Browse files

s390/cmm: fix information leak in cmm_timeout_handler() 



The problem is that we were putting the NUL terminator too far:

	buf[sizeof(buf) - 1] = '\0';

If the user input isn't NUL terminated and they haven't initialized the
whole buffer then it leads to an info leak.  The NUL terminator should
be:

	buf[len - 1] = '\0';

Signed-off-by: default avatarYihui Zeng <yzeng56@asu.edu>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled]
Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
parent d6d5df1d

arch/s390/mm/cmm.c

+6 −6
Original line number Diff line number Diff line
@@ -298,16 +298,16 @@ static int cmm_timeout_handler(struct ctl_table *ctl, int write, 
	}



	if (write) {

		len = *lenp;

		if (copy_from_user(buf, buffer,

				   len > sizeof(buf) ? sizeof(buf) : len))

		len = min(*lenp, sizeof(buf));

		if (copy_from_user(buf, buffer, len))

			return -EFAULT;

		buf[sizeof(buf) - 1] = '\0';

		buf[len - 1] = '\0';

		cmm_skip_blanks(buf, &p);

		nr = simple_strtoul(p, &p, 0);

		cmm_skip_blanks(p, &p);

		seconds = simple_strtoul(p, &p, 0);

		cmm_set_timeout(nr, seconds);

		*ppos += *lenp;

	} else {

		len = sprintf(buf, "%ld %ld\n",

			      cmm_timeout_pages, cmm_timeout_seconds);
@@ -315,9 +315,9 @@ static int cmm_timeout_handler(struct ctl_table *ctl, int write, 
			len = *lenp;

		if (copy_to_user(buffer, buf, len))

			return -EFAULT;

	}

		*lenp = len;

		*ppos += len;

	}

	return 0;

}