lib: Fix strnlen_user() to not touch memory after specified maximum (f18c34e4) · Commits · e / devices / android_kernel_teracube_2e

If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by:

Jan Kara <jack@suse.cz> Cc: stable@vger.kernel.org Signed-off-by:

Linus Torvalds <torvalds@linux-foundation.org>

lib/strnlen_user.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
	return res + find_zero(data) + 1 - align;		return res + find_zero(data) + 1 - align;
	}		}
	res += sizeof(unsigned long);		res += sizeof(unsigned long);
	if (unlikely(max < sizeof(unsigned long)))		/* We already handled 'unsigned long' bytes. Did we do it all ? */
			if (unlikely(max <= sizeof(unsigned long)))
	break;		break;
	max -= sizeof(unsigned long);		max -= sizeof(unsigned long);
	if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))		if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))