diff options
| author | Christophe Leroy <christophe.leroy@c-s.fr> | 2020-01-23 08:34:18 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-06-22 09:04:59 +0200 |
| commit | e18590b3e242638e873a61d299abf8a9df446236 (patch) | |
| tree | 70cbd8aa14c9104c19f9931362d57ee920b559ba /lib | |
| parent | b46395f443d61ec34cd9e42d05cae1eebbd4c31a (diff) | |
| download | linux-stable-e18590b3e242638e873a61d299abf8a9df446236.tar.gz linux-stable-e18590b3e242638e873a61d299abf8a9df446236.tar.bz2 linux-stable-e18590b3e242638e873a61d299abf8a9df446236.zip | |
lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user()
commit ab10ae1c3bef56c29bac61e1201c752221b87b41 upstream.
The range passed to user_access_begin() by strncpy_from_user() and
strnlen_user() starts at 'src' and goes up to the limit of userspace
although reads will be limited by the 'count' param.
On 32 bits powerpc (book3s/32) access has to be granted for each
256Mbytes segment and the cost increases with the number of segments to
unlock.
Limit the range with 'count' param.
Fixes: 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/strncpy_from_user.c | 14 | ||||
| -rw-r--r-- | lib/strnlen_user.c | 14 |
2 files changed, 14 insertions, 14 deletions
diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c index b8570a11776d..fc5b1e2d997d 100644 --- a/lib/strncpy_from_user.c +++ b/lib/strncpy_from_user.c @@ -29,13 +29,6 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src, const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; unsigned long res = 0; - /* - * Truncate 'max' to the user-specified limit, so that - * we only have one limit we need to check in the loop - */ - if (max > count) - max = count; - if (IS_UNALIGNED(src, dst)) goto byte_at_a_time; @@ -113,6 +106,13 @@ long strncpy_from_user(char *dst, const char __user *src, long count) unsigned long max = max_addr - src_addr; long retval; + /* + * Truncate 'max' to the user-specified limit, so that + * we only have one limit we need to check in the loop + */ + if (max > count) + max = count; + kasan_check_write(dst, count); check_object_size(dst, count, false); if (user_access_begin(VERIFY_READ, src, max)) { diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c index f5fa5b266ea2..0bf7c06ebdad 100644 --- a/lib/strnlen_user.c +++ b/lib/strnlen_user.c @@ -32,13 +32,6 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long c; /* - * Truncate 'max' to the user-specified limit, so that - * we only have one limit we need to check in the loop - */ - if (max > count) - max = count; - - /* * Do everything aligned. But that means that we * need to also expand the maximum.. */ @@ -114,6 +107,13 @@ long strnlen_user(const char __user *str, long count) unsigned long max = max_addr - src_addr; long retval; + /* + * Truncate 'max' to the user-specified limit, so that + * we only have one limit we need to check in the loop + */ + if (max > count) + max = count; + if (user_access_begin(VERIFY_READ, str, max)) { retval = do_strnlen_user(str, count, max); user_access_end(); |