[CVE-2011-1593][Hardy][PATCH 2/2] proc: do proper range check on readdir offset, CVE-2011-1593

[Herton Ronaldo Krzesinski]

From: Linus Torvalds <torvalds at linux-foundation.org>

CVE-2011-1593

BugLink: https://bugs.launchpad.net/bugs/784727

Released until now with stable versions 2.6.27.59, 2.6.32.39, 2.6.33.12,
2.6.35.13, 2.6.38.4

Rather than pass in some random truncated offset to the pid-related
functions, check that the offset is in range up-front.

This is just cleanup, the previous commit fixed the real problem.

Cc: stable at kernel.org
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry-picked from commit d8bdc59f215e62098bc5b4256fd9928bf27053a1 upstream)
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski at canonical.com>
---
 fs/proc/base.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 1898c49..a91dc82 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2560,11 +2560,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
 /* for the /proc/ directory itself, after non-process stuff has been done */
 int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
 {
-	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
-	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+	unsigned int nr;
+	struct task_struct *reaper;
 	struct tgid_iter iter;
 	struct pid_namespace *ns;
 
+	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
+		goto out_no_task;
+	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+
+	reaper = get_proc_task(filp->f_path.dentry->d_inode);
 	if (!reaper)
 		goto out_no_task;
 
-- 
1.7.0.4