maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault()

commit 8678ea06852cd1f819b870c773d43df888d15d46 upstream. If a page fault occurs while copying the first byte, this function resets one byte before dst. As a consequence, an address could be modified and leaded to kernel crashes if case the modified address was accessed later. Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly") Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Tested-by: Francis Laniel <flaniel@linux.microsoft.com> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: <stable@vger.kernel.org> [5.8] Link: https://lore.kernel.org/bpf/20221110085614.111213-2-albancrequy@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Alban Crequy <albancrequy@linux.microsoft.com> 2022-11-10 09:56:13 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-11-25 17:45:53 +0100
commit: db744288af730abb66312f40b087d1dbf794c5f4 (patch)
tree: 1a81b74f83afef8986a02cd85c293c41b1e71eb4 /mm
parent: 24cc679abbf31477d0cc6106ec83c2fbae6b3cdf (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/maccess.c b/mm/maccess.c
index 3bd70405f2d8..f6ea117a69eb 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -83,7 +83,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
 	return src - unsafe_addr;
 Efault:
 	pagefault_enable();
-	dst[-1] = '\0';
+	dst[0] = '\0';
 	return -EFAULT;
 }
 #else /* HAVE_GET_KERNEL_NOFAULT */
author	Alban Crequy <albancrequy@linux.microsoft.com>	2022-11-10 09:56:13 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-11-25 17:45:53 +0100
commit	db744288af730abb66312f40b087d1dbf794c5f4 (patch)
tree	1a81b74f83afef8986a02cd85c293c41b1e71eb4 /mm
parent	24cc679abbf31477d0cc6106ec83c2fbae6b3cdf (diff)