Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 201f99f1 authored by Dan Carpenter's avatar Dan Carpenter Committed by Linus Torvalds
Browse files

uml: check length in exitcode_proc_write() 



We don't cap the size of buffer from the user so we could write past the
end of the array here.  Only root can write to this file.

Reported-by: default avatarNico Golde <nico@ngolde.de>
Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 7314e613

arch/um/kernel/exitcode.c

+3 −1
Original line number Diff line number Diff line
@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file, 
		const char __user *buffer, size_t count, loff_t *pos)

{

	char *end, buf[sizeof("nnnnn\0")];

	size_t size;

	int tmp;



	if (copy_from_user(buf, buffer, count))

	size = min(count, sizeof(buf));

	if (copy_from_user(buf, buffer, size))

		return -EFAULT;



	tmp = simple_strtol(buf, &end, 0);