summaryrefslogtreecommitdiff
path: root/fs/notify/fanotify
diff options
context:
space:
mode:
authorFabian Frederick <fabf@skynet.be>2020-05-12 20:19:21 +0200
committerJan Kara <jack@suse.cz>2020-05-13 17:16:57 +0200
commit5e23663b49e1e8ee6b805356259e3062edac5e2b (patch)
tree8ef30910ee1066193afa821953930f1e79e1b6fb /fs/notify/fanotify
parent5a449099b9d5b0a1ac23c1cdbda4bfbaf4b27076 (diff)
fanotify: don't write with size under sizeof(response)
fanotify_write() only aligned copy_from_user size to sizeof(response) for higher values. This patch avoids all values below as suggested by Amir Goldstein and set to response size unconditionally. Link: https://lore.kernel.org/r/20200512181921.405973-1-fabf@skynet.be Signed-off-by: Fabian Frederick <fabf@skynet.be> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/notify/fanotify')
-rw-r--r--fs/notify/fanotify/fanotify_user.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 02a314acc757..63b5dffdca9e 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -487,8 +487,10 @@ static ssize_t fanotify_write(struct file *file, const char __user *buf, size_t
group = file->private_data;
- if (count > sizeof(response))
- count = sizeof(response);
+ if (count < sizeof(response))
+ return -EINVAL;
+
+ count = sizeof(response);
pr_debug("%s: group=%p count=%zu\n", __func__, group, count);