ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS

The {get,put}_user macros don't perform range checking on the provided
__user address when !CPU_HAS_DOMAINS.

This patch reworks the out-of-line assembly accessors to check the user
address against a specified limit, returning -EFAULT if is is out of
range.

[will: changed get_user register allocation to match put_user]
[rmk: fixed building on older ARM architectures]

Reported-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

2 files changed, 21 insertions, 8 deletions

diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
index 11093a7c3e32..9b06bb41fca6 100644
--- a/arch/arm/lib/getuser.S
+++ b/arch/arm/lib/getuser.S
@@ -16,8 +16,9 @@
  * __get_user_X
  *
  * Inputs:      r0 contains the address
+ *              r1 contains the address limit, which must be preserved
  * Outputs:     r0 is the error code
- *              r2, r3 contains the zero-extended value
+ *              r2 contains the zero-extended value
  *              lr corrupted
  *
  * No other registers must be altered.  (see <asm/uaccess.h>
@@ -27,33 +28,39 @@
  * Note also that it is intended that __get_user_bad is not global.
  */
 #include <linux/linkage.h>
+#include <asm/assembler.h>
 #include <asm/errno.h>
 #include <asm/domain.h>
 
 ENTRY(__get_user_1)
+        check_uaccess r0, 1, r1, r2, __get_user_bad
 1: TUSER(ldrb)  r2, [r0]
         mov     r0, #0
         mov     pc, lr
 ENDPROC(__get_user_1)
 
 ENTRY(__get_user_2)
-#ifdef CONFIG_THUMB2_KERNEL
-2: TUSER(ldrb)  r2, [r0]
-3: TUSER(ldrb)  r3, [r0, #1]
+        check_uaccess r0, 2, r1, r2, __get_user_bad
+#ifdef CONFIG_CPU_USE_DOMAINS
+rb      .req    ip
+2:      ldrbt   r2, [r0], #1
+3:      ldrbt   rb, [r0], #0
 #else
-2: TUSER(ldrb)  r2, [r0], #1
-3: TUSER(ldrb)  r3, [r0]
+rb      .req    r0
+2:      ldrb    r2, [r0]
+3:      ldrb    rb, [r0, #1]
 #endif
 #ifndef __ARMEB__
-        orr     r2, r2, r3, lsl #8
+        orr     r2, r2, rb, lsl #8
 #else
-        orr     r2, r3, r2, lsl #8
+        orr     r2, rb, r2, lsl #8
 #endif
         mov     r0, #0
         mov     pc, lr
 ENDPROC(__get_user_2)
 
 ENTRY(__get_user_4)
+        check_uaccess r0, 4, r1, r2, __get_user_bad
 4: TUSER(ldr)   r2, [r0]
         mov     r0, #0
         mov     pc, lr
diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S
index 7db25990c589..3d73dcb959b0 100644
--- a/arch/arm/lib/putuser.S
+++ b/arch/arm/lib/putuser.S
@@ -16,6 +16,7 @@
  * __put_user_X
  *
  * Inputs:      r0 contains the address
+ *              r1 contains the address limit, which must be preserved
  *              r2, r3 contains the value
  * Outputs:     r0 is the error code
  *              lr corrupted
@@ -27,16 +28,19 @@
  * Note also that it is intended that __put_user_bad is not global.
  */
 #include <linux/linkage.h>
+#include <asm/assembler.h>
 #include <asm/errno.h>
 #include <asm/domain.h>
 
 ENTRY(__put_user_1)
+        check_uaccess r0, 1, r1, ip, __put_user_bad
 1: TUSER(strb)  r2, [r0]
         mov     r0, #0
         mov     pc, lr
 ENDPROC(__put_user_1)
 
 ENTRY(__put_user_2)
+        check_uaccess r0, 2, r1, ip, __put_user_bad
         mov     ip, r2, lsr #8
 #ifdef CONFIG_THUMB2_KERNEL
 #ifndef __ARMEB__
@@ -60,12 +64,14 @@ ENTRY(__put_user_2)
 ENDPROC(__put_user_2)
 
 ENTRY(__put_user_4)
+        check_uaccess r0, 4, r1, ip, __put_user_bad
 4: TUSER(str)   r2, [r0]
         mov     r0, #0
         mov     pc, lr
 ENDPROC(__put_user_4)
 
 ENTRY(__put_user_8)
+        check_uaccess r0, 8, r1, ip, __put_user_bad
 #ifdef CONFIG_THUMB2_KERNEL
 5: TUSER(str)   r2, [r0]
 6: TUSER(str)   r3, [r0, #4]