Currently strnlen_user() can return numbers between 0 and count + sizeof(unsigned long) - 1. Currently, no in tree users seem to care but I have found out of tree users which were broken by this. They wanted to truncate the string if it was too long to fit into a buffer and didn't count with the fact that strnlen_user() can return more. So make the function harder to use wrong and return count + 1 max.
CC: Linus Torvalds <[email protected]> Signed-off-by: Jan Kara <[email protected]> --- lib/strnlen_user.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c index fd03ae980013..2e47f9e16a79 100644 --- a/lib/strnlen_user.c +++ b/lib/strnlen_user.c @@ -54,7 +54,10 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, if (has_zero(c, &data, &constants)) { data = prep_zero_mask(c, data, &constants); data = create_zero_mask(data); - return res + find_zero(data) + 1 - align; + res = res + find_zero(data) + 1 - align; + if (res > count) + return count + 1; + return res; } res += sizeof(unsigned long); if (unlikely(max <= sizeof(unsigned long))) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
