6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Brennan Xavier McManus <bxmcmanus@xxxxxxxxx> commit 791f4641142e2aced85de082e5783b4fb0b977c2 upstream. Pass user_p_len to memcpy() instead of heap->len to prevent realloc() from copying an extra sizeof(heap) bytes from beyond the allocated region. Signed-off-by: Brennan Xavier McManus <bxmcmanus@xxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Ammar Faizi <ammarfaizi2@xxxxxxxxxxx> Fixes: 0e0ff638400be8f497a35b51a4751fd823f6bd6a ("tools/nolibc/stdlib: Implement `malloc()`, `calloc()`, `realloc()` and `free()`") Signed-off-by: Willy Tarreau <w@xxxxxx> Signed-off-by: Thomas Weißschuh <linux@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- tools/include/nolibc/stdlib.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/include/nolibc/stdlib.h +++ b/tools/include/nolibc/stdlib.h @@ -166,7 +166,7 @@ void *realloc(void *old_ptr, size_t new_ if (__builtin_expect(!ret, 0)) return NULL; - memcpy(ret, heap->user_p, heap->len); + memcpy(ret, heap->user_p, user_p_len); munmap(heap, heap->len); return ret; }