UBUNTU: [Config] arm64: snapdragon: SND*=m

[mirror_ubuntu-bionic-kernel.git] / fs / binfmt_misc.c

diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index 2a46762def315638e31a2042a3e2d7ccd06a52de..8311e8ed76de37542d35dffc90c039452572f50e 100644 (file)
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -387,8 +387,13 @@ static Node *create_entry(const char __user *buffer, size_t count)
                s = strchr(p, del);
                if (!s)
                        goto einval;
-               *s++ = '\0';
-               e->offset = simple_strtoul(p, &p, 10);
+               *s = '\0';
+               if (p != s) {
+                       int r = kstrtoint(p, 10, &e->offset);
+                       if (r != 0 || e->offset < 0)
+                               goto einval;
+               }
+               p = s;
                if (*p++)
                        goto einval;
                pr_debug("register: offset: %#x\n", e->offset);
@@ -428,7 +433,8 @@ static Node *create_entry(const char __user *buffer, size_t count)
                if (e->mask &&
                    string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
                        goto einval;
-               if (e->size + e->offset > BINPRM_BUF_SIZE)
+               if (e->size > BINPRM_BUF_SIZE ||
+                   BINPRM_BUF_SIZE - e->size < e->offset)
                        goto einval;
                pr_debug("register: magic/mask length: %i\n", e->size);
                if (USE_DEBUG) {
@@ -596,7 +602,7 @@ static void bm_evict_inode(struct inode *inode)
 {
        Node *e = inode->i_private;
 
-       if (e->flags & MISC_FMT_OPEN_FILE)
+       if (e && e->flags & MISC_FMT_OPEN_FILE)
                filp_close(e->interp_file, NULL);
 
        clear_inode(inode);