From: Alban Crequy <albancrequy@linux.microsoft.com>
Date: Thu, 10 Nov 2022 08:56:13 +0000 (+0100)
Subject: maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault()
X-Git-Tag: v5.10.156~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db744288af730abb66312f40b087d1dbf794c5f4;p=thirdparty%2Fkernel%2Fstable.git

maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault()

commit 8678ea06852cd1f819b870c773d43df888d15d46 upstream.

If a page fault occurs while copying the first byte, this function resets one
byte before dst.
As a consequence, an address could be modified and leaded to kernel crashes if
case the modified address was accessed later.

Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly")
Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@vger.kernel.org> [5.8]
Link: https://lore.kernel.org/bpf/20221110085614.111213-2-albancrequy@linux.microsoft.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/mm/maccess.c b/mm/maccess.c
index 3bd70405f2d84..f6ea117a69eb5 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -83,7 +83,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
 	return src - unsafe_addr;
 Efault:
 	pagefault_enable();
-	dst[-1] = '\0';
+	dst[0] = '\0';
 	return -EFAULT;
 }
 #else /* HAVE_GET_KERNEL_NOFAULT */