cgroups: add check for strcpy destination string overflow

Function "strcpy" is used without check for maximum allowed source string length and could cause destination string overflow. Check for string length is added before using "strcpy". Function now is return error if source string length is more than a maximum. akpm: presently considered NotABug, but add the check for general future-safeness and robustness. Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> Acked-by: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

cgroups: add check for strcpy destination string overflow
Function "strcpy" is used without check for maximum allowed source string length and could cause destination string overflow. Check for string length is added before using "strcpy". Function now is return error if source string length is more than a maximum. akpm: presently considered NotABug, but add the check for general future-safeness and robustness. Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> Acked-by: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Evgeny Kuznetsov · Linus Torvalds
1 parent 32a8cf235e
Showing 1 changed file with 2 additions and 0 deletions Side-by-side Diff
kernel/cgroup.c
@@ -1922,6 +1922,8 @@
 				      const char *buffer)
 {
 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+	if (strlen(buffer) >= PATH_MAX)
+		return -EINVAL;
 	if (!cgroup_lock_live_group(cgrp))
 		return -ENODEV;
 	strcpy(cgrp->root->release_agent_path, buffer);
...	...	@@ -1922,6 +1922,8 @@
1922	1922	const char *buffer)
1923	1923	{
1924	1924	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
	1925	+ if (strlen(buffer) >= PATH_MAX)
	1926	+ return -EINVAL;
1925	1927	if (!cgroup_lock_live_group(cgrp))
1926	1928	return -ENODEV;
1927	1929	strcpy(cgrp->root->release_agent_path, buffer);