pstore: Fix buffer overflow while write offset equal to buffer size

commit 017321cf390045dd4c4afc4a232995ea50bcf66d upstream.

In case new offset is equal to prz->buffer_size, it won't wrap at this
time and will return old(overflow) value next time.

Signed-off-by: Liu ShuoX <shuox.liu@intel.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index bda61a759b684f58e6212064e0dc6307be99a13b..0b367ef7a7d684ad768edf19b70957c2d8ad26c2 100644 (file)
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -54,7 +54,7 @@ static size_t buffer_start_add_atomic(struct persistent_ram_zone *prz, size_t a)
        do {
                old = atomic_read(&prz->buffer->start);
                new = old + a;
-               while (unlikely(new > prz->buffer_size))
+               while (unlikely(new >= prz->buffer_size))
                        new -= prz->buffer_size;
        } while (atomic_cmpxchg(&prz->buffer->start, old, new) != old);
 
@@ -91,7 +91,7 @@ static size_t buffer_start_add_locked(struct persistent_ram_zone *prz, size_t a)
 
        old = atomic_read(&prz->buffer->start);
        new = old + a;
-       while (unlikely(new > prz->buffer_size))
+       while (unlikely(new >= prz->buffer_size))
                new -= prz->buffer_size;
        atomic_set(&prz->buffer->start, new);