Commit 225cf8d6 authored by Heiko Carstens's avatar Heiko Carstens Committed by Martin Schwidefsky

s390/uaccess: fix strncpy_from_user string length check

The "standard" and page table walk variants of strncpy_from_user() first
check the length of the to be copied string in userspace.
The string is then copied to kernel space and the length returned to the
caller.
However userspace can modify the string at any time while the kernel
checks for the length of the string or copies the string. In result the
returned length of the string is not necessarily correct.
Fix this by copying in a loop which mimics the mvcos variant of
strncpy_from_user(), which handles this correctly.
Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent 832a9981
...@@ -202,27 +202,29 @@ static size_t strnlen_user_pt(size_t count, const char __user *src) ...@@ -202,27 +202,29 @@ static size_t strnlen_user_pt(size_t count, const char __user *src)
static size_t strncpy_from_user_pt(size_t count, const char __user *src, static size_t strncpy_from_user_pt(size_t count, const char __user *src,
char *dst) char *dst)
{ {
size_t n = strnlen_user_pt(count, src); size_t done, len, offset, len_str;
if (unlikely(!count)) if (unlikely(!count))
return 0; return 0;
if (!n)
return -EFAULT;
if (n > count)
n = count;
if (segment_eq(get_fs(), KERNEL_DS)) { if (segment_eq(get_fs(), KERNEL_DS)) {
memcpy(dst, (const char __kernel __force *) src, n); len = strnlen((const char __kernel __force *) src, count) + 1;
if (dst[n-1] == '\0') if (len > count)
return n-1; len = count;
else memcpy(dst, (const char __kernel __force *) src, len);
return n; return (dst[len - 1] == '\0') ? len - 1 : len;
} }
if (__user_copy_pt((unsigned long) src, dst, n, 0)) done = 0;
return -EFAULT; do {
if (dst[n-1] == '\0') offset = (size_t)src & ~PAGE_MASK;
return n-1; len = min(count - done, PAGE_SIZE - offset);
else if (__user_copy_pt((unsigned long) src, dst, len, 0))
return n; return -EFAULT;
len_str = strnlen(dst, len);
done += len_str;
src += len_str;
dst += len_str;
} while ((len_str == len) && (done < count));
return done;
} }
static size_t copy_in_user_pt(size_t n, void __user *to, static size_t copy_in_user_pt(size_t n, void __user *to,
......
...@@ -206,38 +206,24 @@ size_t strnlen_user_std(size_t size, const char __user *src) ...@@ -206,38 +206,24 @@ size_t strnlen_user_std(size_t size, const char __user *src)
return size; return size;
} }
size_t strncpy_from_user_std(size_t size, const char __user *src, char *dst) size_t strncpy_from_user_std(size_t count, const char __user *src, char *dst)
{ {
register unsigned long reg0 asm("0") = 0UL; size_t done, len, offset, len_str;
unsigned long tmp1, tmp2;
asm volatile( if (unlikely(!count))
" la %3,0(%1)\n" return 0;
" la %4,0(%0,%1)\n" done = 0;
" sacf 256\n" do {
"0: srst %4,%3\n" offset = (size_t)src & ~PAGE_MASK;
" jo 0b\n" len = min(count - done, PAGE_SIZE - offset);
" sacf 0\n" if (copy_from_user_std(len, src, dst))
" la %0,0(%4)\n" return -EFAULT;
" jh 1f\n" /* found \0 in string ? */ len_str = strnlen(dst, len);
" "AHI" %4,1\n" /* include \0 in copy */ done += len_str;
"1:"SLR" %0,%1\n" /* %0 = return length (without \0) */ src += len_str;
" "SLR" %4,%1\n" /* %4 = copy length (including \0) */ dst += len_str;
"2: mvcp 0(%4,%2),0(%1),%5\n" } while ((len_str == len) && (done < count));
" jz 9f\n" return done;
"3:"AHI" %4,-256\n"
" la %1,256(%1)\n"
" la %2,256(%2)\n"
"4: mvcp 0(%4,%2),0(%1),%5\n"
" jnz 3b\n"
" j 9f\n"
"7: sacf 0\n"
"8:"LHI" %0,%6\n"
"9:\n"
EX_TABLE(0b,7b) EX_TABLE(2b,8b) EX_TABLE(4b,8b)
: "+a" (size), "+a" (src), "+d" (dst), "=a" (tmp1), "=a" (tmp2)
: "d" (reg0), "K" (-EFAULT) : "cc", "memory");
return size;
} }
#define __futex_atomic_op(insn, ret, oldval, newval, uaddr, oparg) \ #define __futex_atomic_op(insn, ret, oldval, newval, uaddr, oparg) \
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment