diff options
| author | Chen Gang <[email protected]> | 2013-09-11 14:22:44 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2013-09-11 15:58:03 -0700 |
| commit | 4c3bffc272755c98728c2b58b1a8148cf9e9fd1f (patch) | |
| tree | 9d9583af840199d75e8e8eac61159372a74a38ba | |
| parent | 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (diff) | |
mm/backing-dev.c: check user buffer length before copying data to the related user buffer
'*lenp' may be less than "sizeof(kbuf)" so we must check this before the
next copy_to_user().
pdflush_proc_obsolete() is called by sysctl which 'procname' is
"nr_pdflush_threads", if the user passes buffer length less than
"sizeof(kbuf)", it will cause issue.
Signed-off-by: Chen Gang <[email protected]>
Reviewed-by: Jan Kara <[email protected]>
Cc: Tejun Heo <[email protected]>
Cc: Jeff Moyer <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
| -rw-r--r-- | mm/backing-dev.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 37d9edcd14cf..ce682f7a4f29 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -652,7 +652,7 @@ int pdflush_proc_obsolete(struct ctl_table *table, int write, { char kbuf[] = "0\n"; - if (*ppos) { + if (*ppos || *lenp < sizeof(kbuf)) { *lenp = 0; return 0; } |