| Message ID | 20211013114854.15705-1-xhao@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | mm/damon: Adjust the size of kbuf array to avoid overflow | expand |
Hi Xin, On Wed, 13 Oct 2021 19:48:54 +0800 Xin Hao <xhao@linux.alibaba.com> wrote: > In order to avoid the 'count' size space of kbuf array is > used up, but a "\0" is still added. Thank you for this patch! :) But... I unsure how this can cause a buffer overflow, as 'kbuf' is accessed by only size-specified functions, namely 'scnprintf()' and 'simple_read_from_buffer()'. If I'm missing something, please feel free to let me know. Thanks, SJ > > Signed-off-by: Xin Hao <xhao@linux.alibaba.com> > --- > mm/damon/dbgfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/damon/dbgfs.c b/mm/damon/dbgfs.c > index faee070977d8..20c61eed54af 100644 > --- a/mm/damon/dbgfs.c > +++ b/mm/damon/dbgfs.c > @@ -247,7 +247,7 @@ static ssize_t dbgfs_kdamond_pid_read(struct file *file, > char *kbuf; > ssize_t len; > > - kbuf = kmalloc(count, GFP_KERNEL); > + kbuf = kmalloc(count + 1, GFP_KERNEL); > if (!kbuf) > return -ENOMEM; > > -- > 2.31.0 >
diff --git a/mm/damon/dbgfs.c b/mm/damon/dbgfs.c index faee070977d8..20c61eed54af 100644 --- a/mm/damon/dbgfs.c +++ b/mm/damon/dbgfs.c @@ -247,7 +247,7 @@ static ssize_t dbgfs_kdamond_pid_read(struct file *file, char *kbuf; ssize_t len; - kbuf = kmalloc(count, GFP_KERNEL); + kbuf = kmalloc(count + 1, GFP_KERNEL); if (!kbuf) return -ENOMEM;
In order to avoid the 'count' size space of kbuf array is used up, but a "\0" is still added. Signed-off-by: Xin Hao <xhao@linux.alibaba.com> --- mm/damon/dbgfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)