Patch "lib/cmdline.c: fix get_options() overflow while parsing ranges" has been added to the 3.18-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "lib/cmdline.c: fix get_options() overflow while parsing ranges" has been added to the 3.18-stable tree
@ 2017-06-26  6:15 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-06-26  6:15 UTC (permalink / raw)
  To: matvejchikov, akpm, corbet, gregkh, torvalds; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    lib/cmdline.c: fix get_options() overflow while parsing ranges

to the 3.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     lib-cmdline.c-fix-get_options-overflow-while-parsing-ranges.patch
and it can be found in the queue-3.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From a91e0f680bcd9e10c253ae8b62462a38bd48f09f Mon Sep 17 00:00:00 2001
From: Ilya Matveychikov <matvejchikov@gmail.com>
Date: Fri, 23 Jun 2017 15:08:49 -0700
Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges

From: Ilya Matveychikov <matvejchikov@gmail.com>

commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream.

When using get_options() it's possible to specify a range of numbers,
like 1-100500.  The problem is that it doesn't track array size while
calling internally to get_range() which iterates over the range and
fills the memory with numbers.

Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@gmail.com
Signed-off-by: Ilya V. Matveychikov <matvejchikov@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/cmdline.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/lib/cmdline.c
+++ b/lib/cmdline.c
@@ -22,14 +22,14 @@
  *	the values[M, M+1, ..., N] into the ints array in get_options.
  */
 
-static int get_range(char **str, int *pint)
+static int get_range(char **str, int *pint, int n)
 {
 	int x, inc_counter, upper_range;
 
 	(*str)++;
 	upper_range = simple_strtol((*str), NULL, 0);
 	inc_counter = upper_range - *pint;
-	for (x = *pint; x < upper_range; x++)
+	for (x = *pint; n && x < upper_range; x++, n--)
 		*pint++ = x;
 	return inc_counter;
 }
@@ -96,7 +96,7 @@ char *get_options(const char *str, int n
 			break;
 		if (res == 3) {
 			int range_nums;
-			range_nums = get_range((char **)&str, ints + i);
+			range_nums = get_range((char **)&str, ints + i, nints - i);
 			if (range_nums < 0)
 				break;
 			/*


Patches currently in stable-queue which might be from matvejchikov@gmail.com are

queue-3.18/lib-cmdline.c-fix-get_options-overflow-while-parsing-ranges.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-06-26  6:40 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-26  6:15 Patch "lib/cmdline.c: fix get_options() overflow while parsing ranges" has been added to the 3.18-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).