summaryrefslogtreecommitdiff
path: root/mm
diff options
context:
space:
mode:
authorAlban Crequy <albancrequy@linux.microsoft.com>2022-11-10 09:56:13 +0100
committerAndrii Nakryiko <andrii@kernel.org>2022-11-11 11:44:46 -0800
commit8678ea06852cd1f819b870c773d43df888d15d46 (patch)
treea6accda70d5e23d0b3568f9ae322a1b4df9f918d /mm
parent5704bc7e8991164b14efb748b5afa0715c25fac3 (diff)
maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault()
If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later. Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly") Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Tested-by: Francis Laniel <flaniel@linux.microsoft.com> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: <stable@vger.kernel.org> [5.8] Link: https://lore.kernel.org/bpf/20221110085614.111213-2-albancrequy@linux.microsoft.com
Diffstat (limited to 'mm')
-rw-r--r--mm/maccess.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/maccess.c b/mm/maccess.c
index 5f4d240f67ec..074f6b086671 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
return src - unsafe_addr;
Efault:
pagefault_enable();
- dst[-1] = '\0';
+ dst[0] = '\0';
return -EFAULT;
}