[UBUNTU oem-5.14, jammy, oem-5.17, kinetic, oem-6.0, unstable 1/2] proc: proc_skip_spaces() shouldn't think it is working on C strings
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Dec 12 21:05:46 UTC 2022
- Previous message (by thread): [UBUNTU oem-5.14, jammy, oem-5.17, kinetic, oem-6.0, unstable 0/2] CVE-2022-4378
- Next message (by thread): [UBUNTU oem-5.14, jammy, oem-5.17, kinetic, oem-6.0, unstable 2/2] proc: avoid integer type confusion in get_proc_long
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
From: Linus Torvalds <torvalds at linux-foundation.org>
proc_skip_spaces() seems to think it is working on C strings, and ends
up being just a wrapper around skip_spaces() with a really odd calling
convention.
Instead of basing it on skip_spaces(), it should have looked more like
proc_skip_char(), which really is the exact same function (except it
skips a particular character, rather than whitespace). So use that as
inspiration, odd coding and all.
Now the calling convention actually makes sense and works for the
intended purpose.
Reported-and-tested-by: Kyle Zeng <zengyhkyle at gmail.com>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit bce9332220bd677d83b19d21502776ad555a0e73)
CVE-2022-4378
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
kernel/sysctl.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 22f5d6df43b7..bb5fd3455723 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -268,13 +268,14 @@ int proc_dostring(struct ctl_table *table, int write,
ppos);
}
-static size_t proc_skip_spaces(char **buf)
+static void proc_skip_spaces(char **buf, size_t *size)
{
- size_t ret;
- char *tmp = skip_spaces(*buf);
- ret = tmp - *buf;
- *buf = tmp;
- return ret;
+ while (*size) {
+ if (!isspace(**buf))
+ break;
+ (*size)--;
+ (*buf)++;
+ }
}
static void proc_skip_char(char **buf, size_t *size, const char v)
@@ -522,7 +523,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
bool neg;
if (write) {
- left -= proc_skip_spaces(&p);
+ proc_skip_spaces(&p, &left);
if (!left)
break;
@@ -549,7 +550,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
if (!write && !first && left && !err)
proc_put_char(&buffer, &left, '\n');
if (write && !err && left)
- left -= proc_skip_spaces(&p);
+ proc_skip_spaces(&p, &left);
if (write && first)
return err ? : -EINVAL;
*lenp -= left;
@@ -591,7 +592,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data,
if (left > PAGE_SIZE - 1)
left = PAGE_SIZE - 1;
- left -= proc_skip_spaces(&p);
+ proc_skip_spaces(&p, &left);
if (!left) {
err = -EINVAL;
goto out_free;
@@ -611,7 +612,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data,
}
if (!err && left)
- left -= proc_skip_spaces(&p);
+ proc_skip_spaces(&p, &left);
out_free:
if (err)
@@ -1076,7 +1077,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table,
if (write) {
bool neg;
- left -= proc_skip_spaces(&p);
+ proc_skip_spaces(&p, &left);
if (!left)
break;
@@ -1105,7 +1106,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table,
if (!write && !first && left && !err)
proc_put_char(&buffer, &left, '\n');
if (write && !err)
- left -= proc_skip_spaces(&p);
+ proc_skip_spaces(&p, &left);
if (write && first)
return err ? : -EINVAL;
*lenp -= left;
--
2.34.1
- Previous message (by thread): [UBUNTU oem-5.14, jammy, oem-5.17, kinetic, oem-6.0, unstable 0/2] CVE-2022-4378
- Next message (by thread): [UBUNTU oem-5.14, jammy, oem-5.17, kinetic, oem-6.0, unstable 2/2] proc: avoid integer type confusion in get_proc_long
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the kernel-team
mailing list