A malicious user could pass an arbitrarily bad value to memdup_user_nul(), potentially causing kernel crash.
This follows the same pattern as commit ee76746387f6 ("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Found via static analysis and code review.
Fixes: 3783225130f0 ("powerpc/pseries: use memdup_user_nul") Cc: stable@vger.kernel.org Signed-off-by: Miaoqian Lin linmq006@gmail.com --- arch/powerpc/platforms/pseries/reconfig.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/reconfig.c b/arch/powerpc/platforms/pseries/reconfig.c index 599bd2c78514..b6bc1d8b2207 100644 --- a/arch/powerpc/platforms/pseries/reconfig.c +++ b/arch/powerpc/platforms/pseries/reconfig.c @@ -366,6 +366,9 @@ static ssize_t ofdt_write(struct file *file, const char __user *buf, size_t coun if (rv) return rv;
+ if (count == 0 || count > PAGE_SIZE) + return -EINVAL; + kbuf = memdup_user_nul(buf, count); if (IS_ERR(kbuf)) return PTR_ERR(kbuf);
linux-stable-mirror@lists.linaro.org
-
Miaoqian Lin