From: Fabian Frederick <fabf@skynet.be>
Date: Tue, 12 May 2020 18:19:21 +0000 (+0200)
Subject: fanotify: don't write with size under sizeof(response)
X-Git-Tag: v5.10.7~2451^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5e23663b49e1e8ee6b805356259e3062edac5e2b;p=platform%2Fkernel%2Flinux-rpi.git

fanotify: don't write with size under sizeof(response)

fanotify_write() only aligned copy_from_user size to sizeof(response)
for higher values. This patch avoids all values below as suggested
by Amir Goldstein and set to response size unconditionally.

Link: https://lore.kernel.org/r/20200512181921.405973-1-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
---

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 02a314a..63b5dff 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -487,8 +487,10 @@ static ssize_t fanotify_write(struct file *file, const char __user *buf, size_t
 
 	group = file->private_data;
 
-	if (count > sizeof(response))
-		count = sizeof(response);
+	if (count < sizeof(response))
+		return -EINVAL;
+
+	count = sizeof(response);
 
 	pr_debug("%s: group=%p count=%zu\n", __func__, group, count);