diff options
| author | Vincent Li <macli@brc.ubc.ca> | 2009-09-22 19:45:36 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-09-23 10:39:40 -0400 |
| commit | fb92a4b068be96799da3748c11cbd69760e44d7b (patch) | |
| tree | da10040b94e5a0b83de42008c369aa7c3242c333 /fs | |
| parent | acef82b873b6899d80e639317228f2104dae79a2 (diff) | |
fs/proc/task_mmu.c v1: fix clear_refs_write() input sanity check
Andrew Morton pointed out similar string hacking and obfuscated check for
zero-length input at the end of the function, David Rientjes suggested to
use strict_strtol to replace simple_strtol, this patch cover above
suggestions, add removing of leading and trailing whitespace from user
input. It does not change function behavious.
Signed-off-by: Vincent Li <macli@brc.ubc.ca>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: Amerigo Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/proc/task_mmu.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 59e98fea34a..366b1017a4f 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c | |||
| @@ -473,21 +473,20 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, | |||
| 473 | size_t count, loff_t *ppos) | 473 | size_t count, loff_t *ppos) |
| 474 | { | 474 | { |
| 475 | struct task_struct *task; | 475 | struct task_struct *task; |
| 476 | char buffer[PROC_NUMBUF], *end; | 476 | char buffer[PROC_NUMBUF]; |
| 477 | struct mm_struct *mm; | 477 | struct mm_struct *mm; |
| 478 | struct vm_area_struct *vma; | 478 | struct vm_area_struct *vma; |
| 479 | int type; | 479 | long type; |
| 480 | 480 | ||
| 481 | memset(buffer, 0, sizeof(buffer)); | 481 | memset(buffer, 0, sizeof(buffer)); |
| 482 | if (count > sizeof(buffer) - 1) | 482 | if (count > sizeof(buffer) - 1) |
| 483 | count = sizeof(buffer) - 1; | 483 | count = sizeof(buffer) - 1; |
| 484 | if (copy_from_user(buffer, buf, count)) | 484 | if (copy_from_user(buffer, buf, count)) |
| 485 | return -EFAULT; | 485 | return -EFAULT; |
| 486 | type = simple_strtol(buffer, &end, 0); | 486 | if (strict_strtol(strstrip(buffer), 10, &type)) |
| 487 | return -EINVAL; | ||
| 487 | if (type < CLEAR_REFS_ALL || type > CLEAR_REFS_MAPPED) | 488 | if (type < CLEAR_REFS_ALL || type > CLEAR_REFS_MAPPED) |
| 488 | return -EINVAL; | 489 | return -EINVAL; |
| 489 | if (*end == '\n') | ||
| 490 | end++; | ||
| 491 | task = get_proc_task(file->f_path.dentry->d_inode); | 490 | task = get_proc_task(file->f_path.dentry->d_inode); |
| 492 | if (!task) | 491 | if (!task) |
| 493 | return -ESRCH; | 492 | return -ESRCH; |
| @@ -523,9 +522,8 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, | |||
| 523 | mmput(mm); | 522 | mmput(mm); |
| 524 | } | 523 | } |
| 525 | put_task_struct(task); | 524 | put_task_struct(task); |
| 526 | if (end - buffer == 0) | 525 | |
| 527 | return -EIO; | 526 | return count; |
| 528 | return end - buffer; | ||
| 529 | } | 527 | } |
| 530 | 528 | ||
| 531 | const struct file_operations proc_clear_refs_operations = { | 529 | const struct file_operations proc_clear_refs_operations = { |