/dev/mem: Avoid overwriting "err" in read_mem()

commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream.

Successes in probe_kernel_read() would mask failures in copy_to_user()
during read_mem().

Reported-by: Brad Spengler <spender@grsecurity.net>
Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 3a70dba2c645ac1b7ab905c3bf4faa571e2e420d..f11224a5dc5c787b7c4cc168c1230cc5cb94bc01 100644 (file)
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *file, char __user *buf,
 
        while (count > 0) {
                unsigned long remaining;
-               int allowed;
+               int allowed, probe;
 
                sz = size_inside_page(p, count);
 
@@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *file, char __user *buf,
                        if (!ptr)
                                goto failed;
 
-                       err = probe_kernel_read(bounce, ptr, sz);
+                       probe = probe_kernel_read(bounce, ptr, sz);
                        unxlate_dev_mem_ptr(p, ptr);
-                       if (err)
+                       if (probe)
                                goto failed;
 
                        remaining = copy_to_user(buf, bounce, sz);