uml: check length in exitcode_proc_write()

commit 201f99f170df14ba52ea4c52847779042b7a623b upstream

We don't cap the size of buffer from the user so we could write past the
end of the array here.  Only root can write to this file.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 6540d2c9fbb76f684db03539e26e202178cf18f5..ce057afb6218347973bf4c6edeb48fc46b7f224d 100644 (file)
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -42,9 +42,11 @@ static int write_proc_exitcode(struct file *file, const char __user *buffer,
                               unsigned long count, void *data)
 {
        char *end, buf[sizeof("nnnnn\0")];
+       size_t size;
        int tmp;
 
-       if (copy_from_user(buf, buffer, count))
+       size = min(count, sizeof(buf));
+       if (copy_from_user(buf, buffer, size))
                return -EFAULT;
 
        tmp = simple_strtol(buf, &end, 0);