fanotify: don't write with size under sizeof(response)

fanotify_write() only aligned copy_from_user size to sizeof(response) for higher values. This patch avoids all values below as suggested by Amir Goldstein and set to response size unconditionally. Link: https://lore.kernel.org/r/20200512181921.405973-1-fabf@skynet.beSigned-off-by: Fabian Frederick <fabf@skynet.be> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>

fanotify: don't write with size under sizeof(response)
fanotify_write() only aligned copy_from_user size to sizeof(response) for higher values. This patch avoids all values below as suggested by Amir Goldstein and set to response size unconditionally. Link: https://lore.kernel.org/r/20200512181921.405973-1-fabf@skynet.beSigned-off-by: Fabian Frederick <fabf@skynet.be> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
5e23663b · Fabian Frederick · Jan Kara · 5a449099 · 5e23663b
Commit 5e23663b authored May 12, 2020 by Fabian Frederick Committed by Jan Kara May 13, 2020
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

fs/notify/fanotify/fanotify_user.c fs/notify/fanotify/fanotify_user.c +4 -2

No files found.
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -487,7 +487,9 @@ static ssize_t fanotify_write(struct file *file, const char __user *buf, size_t
 	group = file->private_data;
-	if (count > sizeof(response))
+	if (count < sizeof(response))
+		return -EINVAL;
 	count = sizeof(response);
 	pr_debug("%s: group=%p count=%zu\n", __func__, group, count);