[PATCH 2.6.32 27/62] x86_64: Fix strnlen_user() to not touch memory after specified maximum

From: Willy Tarreau
Date: Sat Sep 12 2015 - 19:26:31 EST

Next message: Willy Tarreau: "[PATCH 2.6.32 55/62] s390/process: fix sfpc inline assembly"
Previous message: Willy Tarreau: "[PATCH 2.6.32 21/62] md/raid5: dont record new size if resize_stripes fails."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.32-longterm review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>

Inspired by commit f18c34e483ff ("lib: Fix strnlen_user() to not touch
memory after specified maximum") upstream. This version of
strnlen_user(), no longer present upstream, has a similar off-by-one
error.

Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Cc: Jan Kara <jack@xxxxxxx>
(cherry picked from commit 4797489ce83a5f42d0b38089695a48d4a3d1ee0b)

Signed-off-by: Willy Tarreau <w@xxxxxx>
---
arch/x86/lib/usercopy_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
index b7c2849..3428d91 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -113,7 +113,7 @@ long __strnlen_user(const char __user *s, long n)
char c;

while (1) {
- if (res>n)
+ if (res >= n)
return n+1;
if (__get_user(c, s))
return 0;
--
1.7.12.2.21.g234cd45.dirty

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Willy Tarreau: "[PATCH 2.6.32 55/62] s390/process: fix sfpc inline assembly"
Previous message: Willy Tarreau: "[PATCH 2.6.32 21/62] md/raid5: dont record new size if resize_stripes fails."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]