Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932317AbbFYKUA (ORCPT ); Thu, 25 Jun 2015 06:20:00 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:39650 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752608AbbFYKDL (ORCPT ); Thu, 25 Jun 2015 06:03:11 -0400 From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Cc: Jan Kara , Linus Torvalds , Luis Henriques Subject: [PATCH 3.16.y-ckt 19/71] lib: Fix strnlen_user() to not touch memory after specified maximum Date: Thu, 25 Jun 2015 11:01:58 +0100 Message-Id: <1435226570-3669-20-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1435226570-3669-1-git-send-email-luis.henriques@canonical.com> References: <1435226570-3669-1-git-send-email-luis.henriques@canonical.com> X-Extended-Stable: 3.16 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1598 Lines: 42 3.16.7-ckt14 -stable review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara commit f18c34e483ff6b1d9866472221e4015b3a4698e4 upstream. If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds Signed-off-by: Luis Henriques --- lib/strnlen_user.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c index a28df5206d95..11649615c505 100644 --- a/lib/strnlen_user.c +++ b/lib/strnlen_user.c @@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, return res + find_zero(data) + 1 - align; } res += sizeof(unsigned long); - if (unlikely(max < sizeof(unsigned long))) + /* We already handled 'unsigned long' bytes. Did we do it all ? */ + if (unlikely(max <= sizeof(unsigned long))) break; max -= sizeof(unsigned long); if (unlikely(__get_user(c,(unsigned long __user *)(src+res)))) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/