From patchwork Thu Nov  8 10:28:21 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [quantal,CVE,2/2] use clamp_t in UNAME26 fix
From: Luis Henriques <luis.henriques@canonical.com>
X-Patchwork-Id: 197822
Message-Id: <1352370502-9996-3-git-send-email-luis.henriques@canonical.com>
To: kernel-team@lists.ubuntu.com
Date: Thu,  8 Nov 2012 10:28:21 +0000

From: Kees Cook <keescook@chromium.org>

BugLink: http://bugs.launchpad.net/bugs/1065622
BugLink: http://bugs.launchpad.net/bugs/1060521

The min/max call needed to have explicit types on some architectures
(e.g. mn10300). Use clamp_t instead to avoid the warning:

  kernel/sys.c: In function 'override_release':
  kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit 31fd84b95eb211d5db460a1dda85e004800a7b52)
CVE-2012-0957
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

---
kernel/sys.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index 1b66408..b6fe559 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
 			rest++;
 		}
 		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
-		copy = min(sizeof(buf), max_t(size_t, 1, len));
+		copy = clamp_t(size_t, len, 1, sizeof(buf));
 		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
 		ret = copy_to_user(release, buf, copy + 1);
 	}