6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brennan Xavier McManus bxmcmanus@gmail.com
commit 791f4641142e2aced85de082e5783b4fb0b977c2 upstream.
Pass user_p_len to memcpy() instead of heap->len to prevent realloc() from copying an extra sizeof(heap) bytes from beyond the allocated region.
Signed-off-by: Brennan Xavier McManus bxmcmanus@gmail.com Cc: stable@vger.kernel.org Reviewed-by: Ammar Faizi ammarfaizi2@gnuweeb.org Fixes: 0e0ff638400be8f497a35b51a4751fd823f6bd6a ("tools/nolibc/stdlib: Implement `malloc()`, `calloc()`, `realloc()` and `free()`") Signed-off-by: Willy Tarreau w@1wt.eu Signed-off-by: Thomas Weißschuh linux@weissschuh.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- tools/include/nolibc/stdlib.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/include/nolibc/stdlib.h +++ b/tools/include/nolibc/stdlib.h @@ -166,7 +166,7 @@ void *realloc(void *old_ptr, size_t new_ if (__builtin_expect(!ret, 0)) return NULL;
- memcpy(ret, heap->user_p, heap->len); + memcpy(ret, heap->user_p, user_p_len); munmap(heap, heap->len); return ret; }