diff options
| author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2013-02-21 07:30:42 -0500 |
|---|---|---|
| committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2013-02-28 03:37:08 -0500 |
| commit | f45655f6a65538237359abce55edab9cfcc6d82f (patch) | |
| tree | bf392ffe658ae512ed992ff24a3b6f5a32c092f7 | |
| parent | d7b788cd06a3080ebf0b2f5f2e008d4fda2b336e (diff) | |
s390/uaccess: fix strncpy_from_user/strnlen_user zero maxlen case
If the maximum length specified for the to be accessed string for
strncpy_from_user() and strnlen_user() is zero the following incorrect
values would be returned or incorrect memory accesses would happen:
strnlen_user_std() and strnlen_user_pt() incorrectly return "1"
strncpy_from_user_pt() would incorrectly access "dst[maxlen - 1]"
strncpy_from_user_mvcos() would incorrectly return "-EFAULT"
Fix all these oddities by adding early checks.
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
| -rw-r--r-- | arch/s390/lib/uaccess_mvcos.c | 2 | ||||
| -rw-r--r-- | arch/s390/lib/uaccess_pt.c | 4 | ||||
| -rw-r--r-- | arch/s390/lib/uaccess_std.c | 2 |
3 files changed, 8 insertions, 0 deletions
diff --git a/arch/s390/lib/uaccess_mvcos.c b/arch/s390/lib/uaccess_mvcos.c index 7f3eb3d56024..1829742bf479 100644 --- a/arch/s390/lib/uaccess_mvcos.c +++ b/arch/s390/lib/uaccess_mvcos.c | |||
| @@ -184,6 +184,8 @@ static size_t strncpy_from_user_mvcos(size_t count, const char __user *src, | |||
| 184 | { | 184 | { |
| 185 | size_t done, len, offset, len_str; | 185 | size_t done, len, offset, len_str; |
| 186 | 186 | ||
| 187 | if (unlikely(!count)) | ||
| 188 | return 0; | ||
| 187 | done = 0; | 189 | done = 0; |
| 188 | do { | 190 | do { |
| 189 | offset = (size_t)src & ~PAGE_MASK; | 191 | offset = (size_t)src & ~PAGE_MASK; |
diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c index a70ee84c0241..c1aaf22c326b 100644 --- a/arch/s390/lib/uaccess_pt.c +++ b/arch/s390/lib/uaccess_pt.c | |||
| @@ -172,6 +172,8 @@ static size_t strnlen_user_pt(size_t count, const char __user *src) | |||
| 172 | unsigned long offset, done, len, kaddr; | 172 | unsigned long offset, done, len, kaddr; |
| 173 | size_t len_str; | 173 | size_t len_str; |
| 174 | 174 | ||
| 175 | if (unlikely(!count)) | ||
| 176 | return 0; | ||
| 175 | if (segment_eq(get_fs(), KERNEL_DS)) | 177 | if (segment_eq(get_fs(), KERNEL_DS)) |
| 176 | return strnlen((const char __kernel __force *) src, count) + 1; | 178 | return strnlen((const char __kernel __force *) src, count) + 1; |
| 177 | done = 0; | 179 | done = 0; |
| @@ -202,6 +204,8 @@ static size_t strncpy_from_user_pt(size_t count, const char __user *src, | |||
| 202 | { | 204 | { |
| 203 | size_t n = strnlen_user_pt(count, src); | 205 | size_t n = strnlen_user_pt(count, src); |
| 204 | 206 | ||
| 207 | if (unlikely(!count)) | ||
| 208 | return 0; | ||
| 205 | if (!n) | 209 | if (!n) |
| 206 | return -EFAULT; | 210 | return -EFAULT; |
| 207 | if (n > count) | 211 | if (n > count) |
diff --git a/arch/s390/lib/uaccess_std.c b/arch/s390/lib/uaccess_std.c index 6fbd06338270..79c6c7d76e08 100644 --- a/arch/s390/lib/uaccess_std.c +++ b/arch/s390/lib/uaccess_std.c | |||
| @@ -188,6 +188,8 @@ size_t strnlen_user_std(size_t size, const char __user *src) | |||
| 188 | register unsigned long reg0 asm("0") = 0UL; | 188 | register unsigned long reg0 asm("0") = 0UL; |
| 189 | unsigned long tmp1, tmp2; | 189 | unsigned long tmp1, tmp2; |
| 190 | 190 | ||
| 191 | if (unlikely(!size)) | ||
| 192 | return 0; | ||
| 191 | asm volatile( | 193 | asm volatile( |
| 192 | " la %2,0(%1)\n" | 194 | " la %2,0(%1)\n" |
| 193 | " la %3,0(%0,%1)\n" | 195 | " la %3,0(%0,%1)\n" |