Re: [PATCH] sys: don't hold uts_sem while accessing userspace memory
From: Al Viro
Date: Mon Jun 25 2018 - 12:41:23 EST
On Mon, Jun 25, 2018 at 06:34:10PM +0200, Jann Horn wrote:
> + char tmp[32];
>
> - if (namelen > 32)
> + if (namelen < 0 || namelen > 32)
> namelen = 32;
>
> down_read(&uts_sem);
> kname = utsname()->domainname;
> len = strnlen(kname, namelen);
> - if (copy_to_user(name, kname, min(len + 1, namelen)))
> - err = -EFAULT;
> + len = min(len + 1, namelen);
> + memcpy(tmp, kname, len);
> up_read(&uts_sem);
>
> - return err;
> + if (copy_to_user(name, tmp, len))
> + return -EFAULT;
Infoleak, and similar in a lot of other places.