summaryrefslogtreecommitdiff
path: root/mm/tiny-shmem.c
diff options
context:
space:
mode:
authorMartin Schwidefsky <schwidefsky@de.ibm.com>2009-04-03 04:35:12 +0000
committerGreg Kroah-Hartman <gregkh@suse.de>2009-05-02 10:23:59 -0700
commite655a1eaa988bc55739f47d62ab0658c1364458a (patch)
tree6b793dbbdaaea766a29aa0d3de283bf661557dde /mm/tiny-shmem.c
parent398e94c43b3339ce64f71d1ea827c3c4fed5ef1e (diff)
mm: do_xip_mapping_read: fix length calculation
upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8 The calculation of the value nr in do_xip_mapping_read is incorrect. If the copy required more than one iteration in the do while loop the copies variable will be non-zero. The maximum length that may be passed to the call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the check only compares against (nr > len). This bug is the cause for the heap corruption Carsten has been chasing for so long:
Diffstat (limited to 'mm/tiny-shmem.c')
0 files changed, 0 insertions, 0 deletions