summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYihui ZENG <yzeng56@asu.edu>2019-10-25 12:31:48 +0300
committerBen Hutchings <ben@decadent.org.uk>2019-12-19 15:58:53 +0000
commitc97d5d87f654979c81a36fbd75844a41e5a82cdc (patch)
tree773ea66dd9d0172630f4bc3170af09185395e930
parent55bdc8a20226bb813ffa39acdd8089bd76b60beb (diff)
downloadlinux-stable-c97d5d87f654979c81a36fbd75844a41e5a82cdc.tar.gz
linux-stable-c97d5d87f654979c81a36fbd75844a41e5a82cdc.tar.bz2
linux-stable-c97d5d87f654979c81a36fbd75844a41e5a82cdc.zip
s390/cmm: fix information leak in cmm_timeout_handler()
commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream. The problem is that we were putting the NUL terminator too far: buf[sizeof(buf) - 1] = '\0'; If the user input isn't NUL terminated and they haven't initialized the whole buffer then it leads to an info leak. The NUL terminator should be: buf[len - 1] = '\0'; Signed-off-by: Yihui Zeng <yzeng56@asu.edu> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> [heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled] Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r--arch/s390/mm/cmm.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/arch/s390/mm/cmm.c b/arch/s390/mm/cmm.c
index 79ddd580d605..ca6fab51eea1 100644
--- a/arch/s390/mm/cmm.c
+++ b/arch/s390/mm/cmm.c
@@ -306,16 +306,16 @@ static int cmm_timeout_handler(struct ctl_table *ctl, int write,
}
if (write) {
- len = *lenp;
- if (copy_from_user(buf, buffer,
- len > sizeof(buf) ? sizeof(buf) : len))
+ len = min(*lenp, sizeof(buf));
+ if (copy_from_user(buf, buffer, len))
return -EFAULT;
- buf[sizeof(buf) - 1] = '\0';
+ buf[len - 1] = '\0';
cmm_skip_blanks(buf, &p);
nr = simple_strtoul(p, &p, 0);
cmm_skip_blanks(p, &p);
seconds = simple_strtoul(p, &p, 0);
cmm_set_timeout(nr, seconds);
+ *ppos += *lenp;
} else {
len = sprintf(buf, "%ld %ld\n",
cmm_timeout_pages, cmm_timeout_seconds);
@@ -323,9 +323,9 @@ static int cmm_timeout_handler(struct ctl_table *ctl, int write,
len = *lenp;
if (copy_to_user(buffer, buf, len))
return -EFAULT;
+ *lenp = len;
+ *ppos += len;
}
- *lenp = len;
- *ppos += len;
return 0;
}