From: Changbin Du <changbin.du@xxxxxxxxx>
The parser parse every string into parser.buffer. And some of the callers
assume that parser.buffer contains a C string. So it is dangerous that the
parser returns a unterminated string. The userspace can leverage this to
attack the kernel.
Signed-off-by: Changbin Du <changbin.du@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
kernel/trace/trace.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 18526a1..e1baca0 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -530,8 +530,6 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
ubuf += ret;
cnt -= ret;
- parser.buffer[parser.idx] = 0;
-
ret = -EINVAL;
if (kstrtoul(parser.buffer, 0, &val))
break;
@@ -1253,7 +1251,7 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
/* read the non-space input */
while (cnt && !is_space_or_zero(ch)) {
- if (parser->idx < parser->size - 1)
+ if (parser->idx < parser->size - 2)
parser->buffer[parser->idx++] = ch;
else {
ret = -EINVAL;
@@ -1270,9 +1268,11 @@ int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
if (is_space_or_zero(ch)) {
parser->buffer[parser->idx] = 0;
parser->cont = false;
- } else if (parser->idx < parser->size - 1) {
+ } else if (parser->idx < parser->size - 2) {
parser->cont = true;
parser->buffer[parser->idx++] = ch;
+ /* Make sure the parsed string always terminates with '\0'. */
+ parser->buffer[parser->idx] = 0;
} else {
ret = -EINVAL;
goto out;
--
2.7.4