stm: Potential read overflow in stm_char_policy_set_ioctl()

The "size" variable comes from the user so we need to verify that it's large enough to hold an stp_policy_id struct. Fixes: 7bd1d409 ("stm class: Introduce an abstraction for System Trace Module devices") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>

stm: Potential read overflow in stm_char_policy_set_ioctl()
The "size" variable comes from the user so we need to verify that it's large enough to hold an stp_policy_id struct. Fixes: 7bd1d409 ("stm class: Introduce an abstraction for System Trace Module devices") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
71c488f3 · Dan Carpenter · Alexander Shishkin · 5771a8c0 · 71c488f3
Commit 71c488f3 authored Aug 10, 2017 by Dan Carpenter Committed by Alexander Shishkin Aug 25, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/hwtracing/stm/core.c drivers/hwtracing/stm/core.c +1 -1

No files found.
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -566,7 +566,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
 	if (copy_from_user(&size, arg, sizeof(size)))
 		return -EFAULT;

-	if (size >= PATH_MAX + sizeof(*id))
+	if (size < sizeof(*id) || size >= PATH_MAX + sizeof(*id))
 		return -EINVAL;

 	/*