From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934337AbdHYQQ1 (ORCPT ); Fri, 25 Aug 2017 12:16:27 -0400 Received: from mga02.intel.com ([134.134.136.20]:12567 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934311AbdHYQQV (ORCPT ); Fri, 25 Aug 2017 12:16:21 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.41,426,1498546800"; d="scan'208";a="894086769" From: Alexander Shishkin To: Greg KH Cc: Mathieu Poirier , Chunyan Zhang , linux-kernel@vger.kernel.org, Dan Carpenter , Alexander Shishkin Subject: [GIT PULL 01/15] stm: Potential read overflow in stm_char_policy_set_ioctl() Date: Fri, 25 Aug 2017 19:15:52 +0300 Message-Id: <20170825161606.2670-2-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.13.1 In-Reply-To: <20170825161606.2670-1-alexander.shishkin@linux.intel.com> References: <20170825161606.2670-1-alexander.shishkin@linux.intel.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter The "size" variable comes from the user so we need to verify that it's large enough to hold an stp_policy_id struct. Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices") Signed-off-by: Dan Carpenter Signed-off-by: Alexander Shishkin --- drivers/hwtracing/stm/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index 0e731143f6..9414900575 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c @@ -566,7 +566,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg) if (copy_from_user(&size, arg, sizeof(size))) return -EFAULT; - if (size >= PATH_MAX + sizeof(*id)) + if (size < sizeof(*id) || size >= PATH_MAX + sizeof(*id)) return -EINVAL; /* -- 2.14.1