From: Dan C. <dan...@or...> - 2013-10-29 19:09:35
|
We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <ni...@ng...> Reported-by: Fabian Yamaguchi <fa...@go...> Signed-off-by: Dan Carpenter <dan...@or...> diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c index 829df49..41ebbfe 100644 --- a/arch/um/kernel/exitcode.c +++ b/arch/um/kernel/exitcode.c @@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struct file *file, const char __user *buffer, size_t count, loff_t *pos) { char *end, buf[sizeof("nnnnn\0")]; + size_t size; int tmp; - if (copy_from_user(buf, buffer, count)) + size = min(count, sizeof(buf)); + if (copy_from_user(buf, buffer, size)) return -EFAULT; tmp = simple_strtol(buf, &end, 0); |