diff options
author | David S. Miller <davem@davemloft.net> | 2012-05-22 20:53:19 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-05-23 02:32:27 -0400 |
commit | ff06dffbc8abfc60d6a0332f058f1d1bb01abb31 (patch) | |
tree | 0845d6acfaf8221fb5d6ae3281cb1c33a8212cff /arch/sparc/lib/usercopy.c | |
parent | 29af0ebaa24d3078d7fd9747a49a763fe7f9ea3c (diff) |
sparc: Add full proper error handling to strncpy_from_user().
Linus removed the end-of-address-space hackery from
fs/namei.c:do_getname() so we really have to validate these edge
conditions and cannot cheat any more (as x86 used to as well).
Move to a common C implementation like x86 did. And if both
src and dst are sufficiently aligned we'll do word at a time
copies and checks as well.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch/sparc/lib/usercopy.c')
-rw-r--r-- | arch/sparc/lib/usercopy.c | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/arch/sparc/lib/usercopy.c b/arch/sparc/lib/usercopy.c index 14b363fec8a2..851cb75ce189 100644 --- a/arch/sparc/lib/usercopy.c +++ b/arch/sparc/lib/usercopy.c | |||
@@ -1,4 +1,6 @@ | |||
1 | #include <linux/module.h> | 1 | #include <linux/module.h> |
2 | #include <linux/uaccess.h> | ||
3 | #include <linux/errno.h> | ||
2 | #include <linux/bug.h> | 4 | #include <linux/bug.h> |
3 | 5 | ||
4 | void copy_from_user_overflow(void) | 6 | void copy_from_user_overflow(void) |
@@ -6,3 +8,133 @@ void copy_from_user_overflow(void) | |||
6 | WARN(1, "Buffer overflow detected!\n"); | 8 | WARN(1, "Buffer overflow detected!\n"); |
7 | } | 9 | } |
8 | EXPORT_SYMBOL(copy_from_user_overflow); | 10 | EXPORT_SYMBOL(copy_from_user_overflow); |
11 | |||
12 | #define REPEAT_BYTE(x) ((~0ul / 0xff) * (x)) | ||
13 | |||
14 | /* Return the high bit set in the first byte that is a zero */ | ||
15 | static inline unsigned long has_zero(unsigned long a) | ||
16 | { | ||
17 | return ((a - REPEAT_BYTE(0x01)) & ~a) & REPEAT_BYTE(0x80); | ||
18 | } | ||
19 | |||
20 | static inline long find_zero(unsigned long c) | ||
21 | { | ||
22 | #ifdef CONFIG_64BIT | ||
23 | if (!(c & 0xff00000000000000UL)) | ||
24 | return 0; | ||
25 | if (!(c & 0x00ff000000000000UL)) | ||
26 | return 1; | ||
27 | if (!(c & 0x0000ff0000000000UL)) | ||
28 | return 2; | ||
29 | if (!(c & 0x000000ff00000000UL)) | ||
30 | return 3; | ||
31 | #define __OFF 4 | ||
32 | #else | ||
33 | #define __OFF 0 | ||
34 | #endif | ||
35 | if (!(c & 0xff000000)) | ||
36 | return __OFF + 0; | ||
37 | if (!(c & 0x00ff0000)) | ||
38 | return __OFF + 1; | ||
39 | if (!(c & 0x0000ff00)) | ||
40 | return __OFF + 2; | ||
41 | return __OFF + 3; | ||
42 | #undef __OFF | ||
43 | } | ||
44 | |||
45 | /* | ||
46 | * Do a strncpy, return length of string without final '\0'. | ||
47 | * 'count' is the user-supplied count (return 'count' if we | ||
48 | * hit it), 'max' is the address space maximum (and we return | ||
49 | * -EFAULT if we hit it). | ||
50 | */ | ||
51 | static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max) | ||
52 | { | ||
53 | long res = 0; | ||
54 | |||
55 | /* | ||
56 | * Truncate 'max' to the user-specified limit, so that | ||
57 | * we only have one limit we need to check in the loop | ||
58 | */ | ||
59 | if (max > count) | ||
60 | max = count; | ||
61 | |||
62 | if (((long) dst | (long) src) & (sizeof(long) - 1)) | ||
63 | goto byte_at_a_time; | ||
64 | |||
65 | while (max >= sizeof(unsigned long)) { | ||
66 | unsigned long c; | ||
67 | |||
68 | /* Fall back to byte-at-a-time if we get a page fault */ | ||
69 | if (unlikely(__get_user(c,(unsigned long __user *)(src+res)))) | ||
70 | break; | ||
71 | *(unsigned long *)(dst+res) = c; | ||
72 | if (has_zero(c)) | ||
73 | return res + find_zero(c); | ||
74 | res += sizeof(unsigned long); | ||
75 | max -= sizeof(unsigned long); | ||
76 | } | ||
77 | |||
78 | byte_at_a_time: | ||
79 | while (max) { | ||
80 | char c; | ||
81 | |||
82 | if (unlikely(__get_user(c,src+res))) | ||
83 | return -EFAULT; | ||
84 | dst[res] = c; | ||
85 | if (!c) | ||
86 | return res; | ||
87 | res++; | ||
88 | max--; | ||
89 | } | ||
90 | |||
91 | /* | ||
92 | * Uhhuh. We hit 'max'. But was that the user-specified maximum | ||
93 | * too? If so, that's ok - we got as much as the user asked for. | ||
94 | */ | ||
95 | if (res >= count) | ||
96 | return res; | ||
97 | |||
98 | /* | ||
99 | * Nope: we hit the address space limit, and we still had more | ||
100 | * characters the caller would have wanted. That's an EFAULT. | ||
101 | */ | ||
102 | return -EFAULT; | ||
103 | } | ||
104 | |||
105 | /** | ||
106 | * strncpy_from_user: - Copy a NUL terminated string from userspace. | ||
107 | * @dst: Destination address, in kernel space. This buffer must be at | ||
108 | * least @count bytes long. | ||
109 | * @src: Source address, in user space. | ||
110 | * @count: Maximum number of bytes to copy, including the trailing NUL. | ||
111 | * | ||
112 | * Copies a NUL-terminated string from userspace to kernel space. | ||
113 | * | ||
114 | * On success, returns the length of the string (not including the trailing | ||
115 | * NUL). | ||
116 | * | ||
117 | * If access to userspace fails, returns -EFAULT (some data may have been | ||
118 | * copied). | ||
119 | * | ||
120 | * If @count is smaller than the length of the string, copies @count bytes | ||
121 | * and returns @count. | ||
122 | */ | ||
123 | long strncpy_from_user(char *dst, const char __user *src, long count) | ||
124 | { | ||
125 | unsigned long max_addr, src_addr; | ||
126 | |||
127 | if (unlikely(count <= 0)) | ||
128 | return 0; | ||
129 | |||
130 | max_addr = ~0UL; | ||
131 | if (likely(segment_eq(get_fs(), USER_DS))) | ||
132 | max_addr = STACK_TOP; | ||
133 | src_addr = (unsigned long)src; | ||
134 | if (likely(src_addr < max_addr)) { | ||
135 | unsigned long max = max_addr - src_addr; | ||
136 | return do_strncpy_from_user(dst, src, count, max); | ||
137 | } | ||
138 | return -EFAULT; | ||
139 | } | ||
140 | EXPORT_SYMBOL(strncpy_from_user); | ||