[PATCH] cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)

Use simple_read_from_buffer to avoid possible underflow in
cpuset_tasks_read which could allow user to read kernel memory.

Note: This is fixed upstream in 85badbdf5120d246ce2bb3f1a7689a805f9c9006

Signed-off-by: Chris Wright <chrisw@sous-sol.org>

diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index f382b0f775e15ca0d91600c796f746f11d159a72..9e45dd152ae6ac00e4ef3e5e10e2c6ae76e359d4 100644 (file)
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1751,12 +1751,7 @@ static ssize_t cpuset_tasks_read(struct file *file, char __user *buf,
 {
        struct ctr_struct *ctr = file->private_data;
 
-       if (*ppos + nbytes > ctr->bufsz)
-               nbytes = ctr->bufsz - *ppos;
-       if (copy_to_user(buf, ctr->buf + *ppos, nbytes))
-               return -EFAULT;
-       *ppos += nbytes;
-       return nbytes;
+       return simple_read_from_buffer(buf, nbytes, ppos, ctr->buf, ctr->bufsz);
 }
 
 static int cpuset_tasks_release(struct inode *unused_inode, struct file *file)