Commit 201f99f1 authored by Dan Carpenter's avatar Dan Carpenter Committed by Linus Torvalds

uml: check length in exitcode_proc_write()

We don't cap the size of buffer from the user so we could write past the
end of the array here.  Only root can write to this file.
Reported-by: default avatarNico Golde <nico@ngolde.de>
Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 7314e613
......@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file,
const char __user *buffer, size_t count, loff_t *pos)
{
char *end, buf[sizeof("nnnnn\0")];
size_t size;
int tmp;
if (copy_from_user(buf, buffer, count))
size = min(count, sizeof(buf));
if (copy_from_user(buf, buffer, size))
return -EFAULT;
tmp = simple_strtol(buf, &end, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment