From: Cliff Wickman Date: Mon, 23 Jun 2008 13:32:25 +0000 (-0500) Subject: x86, SGI UV: uv_ptc_proc_write fix X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e7eb8726d0e144f0925972c4ecee945e91a42753;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git x86, SGI UV: uv_ptc_proc_write fix Someone could write 0 bytes to /proc/sgi_uv/ptc_statistics, causing optstr[count - 1] = '\0'; to write to who-knows-where. (Andi Kleen noticed this need from a patch I sent for similar code in the ia64 world (sn2_ptc_proc_write()).) (count less than zero is not possible here, as count is unsigned) Signed-off-by: Cliff Wickman Signed-off-by: Ingo Molnar --- diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c index c503b7f0448..d0fbb7712ab 100644 --- a/arch/x86/kernel/tlb_uv.c +++ b/arch/x86/kernel/tlb_uv.c @@ -492,7 +492,7 @@ static ssize_t uv_ptc_proc_write(struct file *file, const char __user *user, long newmode; char optstr[64]; - if (count > 64) + if (count == 0 || count > sizeof(optstr)) return -EINVAL; if (copy_from_user(optstr, user, count)) return -EFAULT;