commit 2ca9bb456ada8bcbdc8f77f8fc78207653bbaa92
author Kees Cook <keescook@chromium.org> Fri Jun 06 14:37:18 2014 -0700
committer Linus Torvalds <torvalds@linux-foundation.org> Fri Jun 06 16:08:13 2014 -0700
tree 05f8bd09ad6e9b24b735d7cf90c3167bade83050
parent f88083005ab319abba5d0b2e4e997558245493c8

sysctl: refactor sysctl string writing logic

Consolidate buffer length checking with new-line/end-of-line checking.
Additionally, instead of reading user memory twice, just do the
assignment during the loop.

This change doesn't affect the potential races here.  It was already
possible to read a sysctl that was in the middle of a write.  In both
cases, the string will always be NULL terminated.  The pre-existing race
remains a problem to be solved.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

kernel/sysctl.c

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 3e214be..ac6847f 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1717,21 +1717,18 @@
 	}
 
 	if (write) {
+		/* Start writing from beginning of buffer. */
 		len = 0;
+		*ppos += *lenp;
 		p = buffer;
-		while (len < *lenp) {
+		while ((p - buffer) < *lenp && len < maxlen - 1) {
 			if (get_user(c, p++))
 				return -EFAULT;
 			if (c == 0 || c == '\n')
 				break;
-			len++;
+			data[len++] = c;
 		}
-		if (len >= maxlen)
-			len = maxlen-1;
-		if(copy_from_user(data, buffer, len))
-			return -EFAULT;
 		data[len] = 0;
-		*ppos += *lenp;
 	} else {
 		len = strlen(data);
 		if (len > maxlen)