On Wed, 9 Oct 2013 14:05:26 +0400 Andrey Konovalov <andreyk...@google.com> wrote:
> So I still think that the bug is in 'trage_get_user()': > Checking that 'parser->idx < parser->size - 1' is not performed in 'if > (isspace(ch))' section, so 'parser->idx' becomes equal to > 'parser->size' after 'parser->buffer[parser->idx++] = ch;'. > (However in 'while (cnt && !isspace(ch))' loop checking is performed.) Yep, you are correct. I put in some printk's and did same writing to the set_events file and was able to prove that I could get that "0" written into the +1 overflow boundary. Can you try this patch to see if it fixes it for you. Thanks, -- Steve diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index d5f7c4d..063a92b 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -843,9 +843,12 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf, if (isspace(ch)) { parser->buffer[parser->idx] = 0; parser->cont = false; - } else { + } else if (parser->idx < parser->size - 1) { parser->cont = true; parser->buffer[parser->idx++] = ch; + } else { + ret = -EINVAL; + goto out; } *ppos += read; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/