On 08/20/2013 11:28 PM, Jan Kara wrote:
> On Tue 20-08-13 11:23:24, Chen Gang wrote:
>> '*lenp' may be less than "sizeof(kbuf)", need check it before the next
>> copy_to_user().
>>
>> pdflush_proc_obsolete() is called by sysctl which 'procname' is
>> "nr_pdflush_threads", if the user passes buffer length less than
>> "sizeof(kbuf)", it will cause issue.
>>
> Good catch. The patch looks good. You can add:
> Reviewed-by: Jan Kara <jack@xxxxxxx>
>
Thanks.
> Honza
>>
>> Signed-off-by: Chen Gang <gang.chen@xxxxxxxxxxx>
>> ---
>> mm/backing-dev.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/mm/backing-dev.c b/mm/backing-dev.c
>> index e04454c..2674671 100644
>> --- a/mm/backing-dev.c
>> +++ b/mm/backing-dev.c
>> @@ -649,7 +649,7 @@ int pdflush_proc_obsolete(struct ctl_table *table, int write,
>> {
>> char kbuf[] = "0\n";
>>
>> - if (*ppos) {
>> + if (*ppos || *lenp < sizeof(kbuf)) {
>> *lenp = 0;
>> return 0;
>> }
>> --
>> 1.7.7.6
--
Chen Gang
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>