[ibm-acpi-devel] [PATCH v1] platform/x86: thinkpad_acpi: Limit size when call strndup_user()

Andy Shevchenko Tue, 14 Jul 2020 03:44:11 -0700

During conversion to use strndup_user() the commit 35d13c7a0512
("platform/x86: thinkpad_acpi: Use strndup_user() in dispatch_proc_write()")
missed the fact that buffer coming thru procfs is not immediately NULL
terminated. We have to limit size when calling strndup_user().


Fixes: 35d13c7a0512 ("platform/x86: thinkpad_acpi: Use strndup_user() in 
dispatch_proc_write()")
Reported-by: Hans de Goede <hdego...@redhat.com>
Signed-off-by: Andy Shevchenko <andriy.shevche...@linux.intel.com>
---
 drivers/platform/x86/thinkpad_acpi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/platform/x86/thinkpad_acpi.c 
b/drivers/platform/x86/thinkpad_acpi.c
index f571d6254e7c..f411ad814cab 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -886,7 +886,7 @@ static ssize_t dispatch_proc_write(struct file *file,
        if (!ibm || !ibm->write)
                return -EINVAL;
 
-       kernbuf = strndup_user(userbuf, PAGE_SIZE);
+       kernbuf = strndup_user(userbuf, min_t(long, count, PAGE_SIZE));
        if (IS_ERR(kernbuf))
                return PTR_ERR(kernbuf);
 
-- 
2.27.0



_______________________________________________
ibm-acpi-devel mailing list
ibm-acpi-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ibm-acpi-devel

[ibm-acpi-devel] [PATCH v1] platform/x86: thinkpad_acpi: Limit size when call strndup_user()

Reply via email to