Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 6a029a90f5b93e2b50bcbbaef05ef91fa0c1d6b3
commit6a029a90f5b93e2b50bcbbaef05ef91fa0c1d6b3[log] [tgz]
authorAl Viro <viro@parcelfarce.linux.theplanet.co.uk>Sat Aug 27 06:48:15 2005 +0100
committerLinus Torvalds <torvalds@g5.osdl.org>Sat Aug 27 10:11:40 2005 -0700
treeba62bf7de680c10c00224305d628b484494918a1
parent36676bcbf9f6bcbea9d06e67ee8d04eacde54952 [diff]
[PATCH] mmaper_kern.c fixes [buffer overruns]

 - copy_from_user() can fail; ->write() must check its return value.

 - severe buffer overruns both in ->read() and ->write() - lseek to the
   end (i.e.  to mmapper_size) and

	if (count + *ppos > mmapper_size)
		count = count + *ppos - mmapper_size;

   will do absolutely nothing.  Then it will call

	copy_to_user(buf,&v_buf[*ppos],count);

   with obvious results (similar for ->write()).

   Fixed by turning read to simple_read_from_buffer() and by doing
   normal limiting of count in ->write().

 - gratitious lock_kernel() in ->mmap() - it's useless there.

 - lots of gratuitous includes.

Signed-off-by: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
1 file changed
tree: ba62bf7de680c10c00224305d628b484494918a1
  1. arch/
  2. crypto/
  3. Documentation/
  4. drivers/
  5. fs/
  6. include/
  7. init/
  8. ipc/
  9. kernel/
  10. lib/
  11. mm/
  12. net/
  13. scripts/
  14. security/
  15. sound/
  16. usr/
  17. COPYING
  18. CREDITS
  19. MAINTAINERS
  20. Makefile
  21. README
  22. REPORTING-BUGS