[Lucid][CVE-2013-4512] uml: check length in exitcode_proc_write()

Luis Henriques luis.henriques at canonical.com
Fri Nov 8 13:32:10 UTC 2013

From: Dan Carpenter <dan.carpenter at oracle.com>

BugLink: http://bugs.launchpad.net/bugs/1249271


We don't cap the size of buffer from the user so we could write past the
end of the array here.  Only root can write to this file.

Reported-by: Nico Golde <nico at ngolde.de>
Reported-by: Fabian Yamaguchi <fabs at goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Cc: stable at kernel.org
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit 201f99f170df14ba52ea4c52847779042b7a623b)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 arch/um/kernel/exitcode.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 6540d2c..ce057af 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -42,9 +42,11 @@ static int write_proc_exitcode(struct file *file, const char __user *buffer,
 			       unsigned long count, void *data)
 	char *end, buf[sizeof("nnnnn\0")];
+	size_t size;
 	int tmp;
-	if (copy_from_user(buf, buffer, count))
+	size = min(count, sizeof(buf));
+	if (copy_from_user(buf, buffer, size))
 		return -EFAULT;
 	tmp = simple_strtol(buf, &end, 0);

More information about the kernel-team mailing list