Commit f18c34e4 authored by Jan Kara's avatar Jan Kara Committed by Linus Torvalds
Browse files

lib: Fix strnlen_user() to not touch memory after specified maximum

If the specified maximum length of the string is a multiple of unsigned
long, we would load one long behind the specified maximum.  If that
happens to be in a next page, we can hit a page fault although we were
not expected to.

Fix the off-by-one bug in the test whether we are at the end of the
specified range.
Signed-off-by: default avatarJan Kara <>
Signed-off-by: default avatarLinus Torvalds <>
parent c46a024e
......@@ -57,7 +57,8 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
return res + find_zero(data) + 1 - align;
res += sizeof(unsigned long);
if (unlikely(max < sizeof(unsigned long)))
/* We already handled 'unsigned long' bytes. Did we do it all ? */
if (unlikely(max <= sizeof(unsigned long)))
max -= sizeof(unsigned long);
if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment