uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: 201f99f170df14ba52ea4c52847779042b7a623b [log] [tgz]
author: Dan Carpenter <dan.carpenter@oracle.com> Tue Oct 29 22:06:04 2013 +0300
committer: Linus Torvalds <torvalds@linux-foundation.org> Wed Oct 30 12:24:49 2013 -0700
tree: d05f085f110325cf7e8c2bdda642b561225989ae
parent: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 [diff]
diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 829df49..41ebbfe 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c

@@ -40,9 +40,11 @@
 		const char __user *buffer, size_t count, loff_t *pos)
 {
 	char *end, buf[sizeof("nnnnn\0")];
+	size_t size;
 	int tmp;
 
-	if (copy_from_user(buf, buffer, count))
+	size = min(count, sizeof(buf));
+	if (copy_from_user(buf, buffer, size))
 		return -EFAULT;
 
 	tmp = simple_strtol(buf, &end, 0);
commit	201f99f170df14ba52ea4c52847779042b7a623b	[log] [tgz]
author	Dan Carpenter <dan.carpenter@oracle.com>	Tue Oct 29 22:06:04 2013 +0300
committer	Linus Torvalds <torvalds@linux-foundation.org>	Wed Oct 30 12:24:49 2013 -0700
tree	d05f085f110325cf7e8c2bdda642b561225989ae
parent	7314e613d5ff9f0934f7a0f74ed7973b903315d1 [diff]