mm: do_xip_mapping_read: fix length calculation

upstream commit: 58984ce21d315b70df1a43644df7416ea7c9bfd8

The calculation of the value nr in do_xip_mapping_read is incorrect.  If
the copy required more than one iteration in the do while loop the copies
variable will be non-zero.  The maximum length that may be passed to the
call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the
check only compares against (nr > len).

This bug is the cause for the heap corruption Carsten has been chasing
for so long:

diff --git a/mm/filemap_xip.c b/mm/filemap_xip.c
index b5167dfb2f2d65366004963558dfa765643423b8..e8b2b18f02a3403013f780db5d3d6397d51794b5 100644 (file)
--- a/mm/filemap_xip.c
+++ b/mm/filemap_xip.c
@@ -89,8 +89,8 @@ do_xip_mapping_read(struct address_space *mapping,
                        }
                }
                nr = nr - offset;
-               if (nr > len)
-                       nr = len;
+               if (nr > len - copied)
+                       nr = len - copied;
 
                error = mapping->a_ops->get_xip_mem(mapping, index, 0,
                                                        &xip_mem, &xip_pfn);