| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240726054357.GD99483@ZenIV>
Date: Fri, 26 Jul 2024 06:43:57 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: cgroups@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Subject: [PATCH] memcg_write_event_control(): fix a user-triggerable oops
We are *not* guaranteed that anything past the terminating NUL
is mapped (let alone initialized with anything sane).
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
---
diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c
index 2aeea4d8bf8e..417c96f2da28 100644
--- a/mm/memcontrol-v1.c
+++ b/mm/memcontrol-v1.c
@@ -1842,9 +1842,12 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of,
buf = endp + 1;
cfd = simple_strtoul(buf, &endp, 10);
- if ((*endp != ' ') && (*endp != '\0'))
+ if (*endp == '\0')
+ buf = endp;
+ else if (*endp == ' ')
+ buf = endp + 1;
+ else
return -EINVAL;
- buf = endp + 1;
event = kzalloc(sizeof(*event), GFP_KERNEL);
if (!event)
Powered by blists - more mailing lists