Just as a precaution, make sure that proc handlers don't accidentally
grow "count" beyond the allocated kbuf size.
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
This applies to hch's sysctl cleanup tree...
---
fs/proc/proc_sysctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 15030784566c..535ab26473af 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
struct inode *inode = file_inode(filp);
struct ctl_table_header *head = grab_header(inode);
struct ctl_table *table = PROC_I(inode)->sysctl_entry;
+ size_t count_max = count;
void *kbuf;
ssize_t error;
@@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
if (!write) {
error = -EFAULT;
+ if (WARN_ON(count > count_max))
+ count = count_max;
if (copy_to_user(ubuf, kbuf, count))
goto out_free_buf;
}
--
2.20.1
--
Kees Cook
