summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorDominique Martinet <asmadeus@codewreck.org>2018-09-20 12:22:35 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-09-20 22:01:11 +0200
commita1b3d2f217cf51505858c5c160abef96c3e91721 (patch)
tree4e41b3280c26a589250f81abd8b4368491c7f459 /fs
parent889c695d419f19e5db52592dafbaf26143c36d1f (diff)
downloadlinux-a1b3d2f217cf51505858c5c160abef96c3e91721.tar.gz
linux-a1b3d2f217cf51505858c5c160abef96c3e91721.tar.bz2
linux-a1b3d2f217cf51505858c5c160abef96c3e91721.zip
fs/proc/kcore.c: fix invalid memory access in multi-page read optimization
The 'm' kcore_list item could point to kclist_head, and it is incorrect to look at m->addr / m->size in this case. There is no choice but to run through the list of entries for every address if we did not find any entry in the previous iteration Reset 'm' to NULL in that case at Omar Sandoval's suggestion. [akpm@linux-foundation.org: add comment] Link: http://lkml.kernel.org/r/1536100702-28706-1-git-send-email-asmadeus@codewreck.org Fixes: bf991c2231117 ("proc/kcore: optimize multiple page reads") Signed-off-by: Dominique Martinet <asmadeus@codewreck.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Omar Sandoval <osandov@osandov.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: James Morse <james.morse@arm.com> Cc: Bhupesh Sharma <bhsharma@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/proc/kcore.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index ad72261ee3fe..d297fe4472a9 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -464,6 +464,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
ret = -EFAULT;
goto out;
}
+ m = NULL; /* skip the list anchor */
} else if (m->type == KCORE_VMALLOC) {
vread(buf, (char *)start, tsz);
/* we have to zero-fill user buffer even if no read */