Hi, Ajay!
On 11/6/21 12:20, Ajay Garg wrote:
Both (statically-allocated) "user_kdgkb->kb_string" and
(dynamically-allocated) "kbs" are of length "len", so we must
not copy more than "len" bytes.
Signed-off-by: Ajay Garg <ajaygargnsit@xxxxxxxxx>
---
drivers/tty/vt/keyboard.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index c7fbbcdcc346..dfef7de8a057 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -2070,7 +2070,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
len = strlcpy(kbs, func_table[kb_func] ? : "", len);
^^^^^^^^^
len is reinitialized here, i.e len passed to kmalloc and len passed to
copy_to_user() can be different.
strlcpy() returns strlen() of source string (2nd argument), that's why
we need +1 here to pass null byte to user.
Am I missing something?
spin_unlock_irqrestore(&func_buf_lock, flags);
- ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
+ ret = copy_to_user(user_kdgkb->kb_string, kbs, len) ?
-EFAULT : 0;
break;
With regards,
Pavel Skripkin
