[PATCH] mm/damon: Adjust the size of kbuf array to avoid overflow

[PATCH] mm/damon: Adjust the size of kbuf array to avoid overflow

[Xin Hao]

In order to avoid the 'count' size space of kbuf array is
used up, but a "\0" is still added.

Signed-off-by: Xin Hao <xhao@linux.alibaba.com>
---
 mm/damon/dbgfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/damon/dbgfs.c b/mm/damon/dbgfs.c
index faee070977d8..20c61eed54af 100644
--- a/mm/damon/dbgfs.c
+++ b/mm/damon/dbgfs.c
@@ -247,7 +247,7 @@ static ssize_t dbgfs_kdamond_pid_read(struct file *file,
 	char *kbuf;
 	ssize_t len;
 
-	kbuf = kmalloc(count, GFP_KERNEL);
+	kbuf = kmalloc(count + 1, GFP_KERNEL);
 	if (!kbuf)
 		return -ENOMEM;
 
-- 
2.31.0

Re: [PATCH] mm/damon: Adjust the size of kbuf array to avoid overflow

[SeongJae Park]

Hi Xin,

On Wed, 13 Oct 2021 19:48:54 +0800 Xin Hao <xhao@linux.alibaba.com> wrote:

> In order to avoid the 'count' size space of kbuf array is
> used up, but a "\0" is still added.

Thank you for this patch! :)

But... I unsure how this can cause a buffer overflow, as 'kbuf' is accessed by
only size-specified functions, namely 'scnprintf()' and
'simple_read_from_buffer()'.

If I'm missing something, please feel free to let me know.


Thanks,
SJ

> 
> Signed-off-by: Xin Hao <xhao@linux.alibaba.com>
> ---
>  mm/damon/dbgfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/damon/dbgfs.c b/mm/damon/dbgfs.c
> index faee070977d8..20c61eed54af 100644
> --- a/mm/damon/dbgfs.c
> +++ b/mm/damon/dbgfs.c
> @@ -247,7 +247,7 @@ static ssize_t dbgfs_kdamond_pid_read(struct file *file,
>  	char *kbuf;
>  	ssize_t len;
>  
> -	kbuf = kmalloc(count, GFP_KERNEL);
> +	kbuf = kmalloc(count + 1, GFP_KERNEL);
>  	if (!kbuf)
>  		return -ENOMEM;
>  
> -- 
> 2.31.0
>