diff options
author | James Hogan <james.hogan@imgtec.com> | 2017-05-02 18:41:06 (GMT) |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-05-25 13:44:46 (GMT) |
commit | e8a8a6972c5075e6057264c45614d13f9e0307e5 (patch) | |
tree | 39b99fdc2331c3dab1ef829d9ac47a73710c67de /kernel | |
parent | 9fefcb947ec2c2b6900b4c10aface329af0fd9c5 (diff) | |
download | linux-e8a8a6972c5075e6057264c45614d13f9e0307e5.tar.xz |
metag/uaccess: Check access_ok in strncpy_from_user
commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream.
The metag implementation of strncpy_from_user() doesn't validate the src
pointer, which could allow reading of arbitrary kernel memory. Add a
short access_ok() check to prevent that.
Its still possible for it to read across the user/kernel boundary, but
it will invariably reach a NUL character after only 9 bytes, leaking
only a static kernel address being loaded into D0Re0 at the beginning of
__start, which is acceptable for the immediate fix.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions