diff options
author | Russell King <rmk+kernel@arm.linux.org.uk> | 2012-09-07 13:22:28 -0400 |
---|---|---|
committer | Russell King <rmk+kernel@arm.linux.org.uk> | 2012-09-09 12:28:47 -0400 |
commit | 8404663f81d212918ff85f493649a7991209fa04 (patch) | |
tree | b695686fd2764914da245ef31649b1deb91ddafa /arch | |
parent | 2b2040af0b64cd93e5d4df2494c4486cf604090d (diff) |
ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS
The {get,put}_user macros don't perform range checking on the provided
__user address when !CPU_HAS_DOMAINS.
This patch reworks the out-of-line assembly accessors to check the user
address against a specified limit, returning -EFAULT if is is out of
range.
[will: changed get_user register allocation to match put_user]
[rmk: fixed building on older ARM architectures]
Reported-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/arm/include/asm/assembler.h | 8 | ||||
-rw-r--r-- | arch/arm/include/asm/uaccess.h | 40 | ||||
-rw-r--r-- | arch/arm/lib/getuser.S | 23 | ||||
-rw-r--r-- | arch/arm/lib/putuser.S | 6 |
4 files changed, 56 insertions, 21 deletions
diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h index 03fb93621d0d..5c8b3bf4d825 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h | |||
@@ -320,4 +320,12 @@ | |||
320 | .size \name , . - \name | 320 | .size \name , . - \name |
321 | .endm | 321 | .endm |
322 | 322 | ||
323 | .macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req | ||
324 | #ifndef CONFIG_CPU_USE_DOMAINS | ||
325 | adds \tmp, \addr, #\size - 1 | ||
326 | sbcccs \tmp, \tmp, \limit | ||
327 | bcs \bad | ||
328 | #endif | ||
329 | .endm | ||
330 | |||
323 | #endif /* __ASM_ASSEMBLER_H__ */ | 331 | #endif /* __ASM_ASSEMBLER_H__ */ |
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index 479a6352e0b5..6f83ad6e4d3d 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h | |||
@@ -101,28 +101,39 @@ extern int __get_user_1(void *); | |||
101 | extern int __get_user_2(void *); | 101 | extern int __get_user_2(void *); |
102 | extern int __get_user_4(void *); | 102 | extern int __get_user_4(void *); |
103 | 103 | ||
104 | #define __get_user_x(__r2,__p,__e,__s,__i...) \ | 104 | #define __GUP_CLOBBER_1 "lr", "cc" |
105 | #ifdef CONFIG_CPU_USE_DOMAINS | ||
106 | #define __GUP_CLOBBER_2 "ip", "lr", "cc" | ||
107 | #else | ||
108 | #define __GUP_CLOBBER_2 "lr", "cc" | ||
109 | #endif | ||
110 | #define __GUP_CLOBBER_4 "lr", "cc" | ||
111 | |||
112 | #define __get_user_x(__r2,__p,__e,__l,__s) \ | ||
105 | __asm__ __volatile__ ( \ | 113 | __asm__ __volatile__ ( \ |
106 | __asmeq("%0", "r0") __asmeq("%1", "r2") \ | 114 | __asmeq("%0", "r0") __asmeq("%1", "r2") \ |
115 | __asmeq("%3", "r1") \ | ||
107 | "bl __get_user_" #__s \ | 116 | "bl __get_user_" #__s \ |
108 | : "=&r" (__e), "=r" (__r2) \ | 117 | : "=&r" (__e), "=r" (__r2) \ |
109 | : "0" (__p) \ | 118 | : "0" (__p), "r" (__l) \ |
110 | : __i, "cc") | 119 | : __GUP_CLOBBER_##__s) |
111 | 120 | ||
112 | #define get_user(x,p) \ | 121 | #define get_user(x,p) \ |
113 | ({ \ | 122 | ({ \ |
123 | unsigned long __limit = current_thread_info()->addr_limit - 1; \ | ||
114 | register const typeof(*(p)) __user *__p asm("r0") = (p);\ | 124 | register const typeof(*(p)) __user *__p asm("r0") = (p);\ |
115 | register unsigned long __r2 asm("r2"); \ | 125 | register unsigned long __r2 asm("r2"); \ |
126 | register unsigned long __l asm("r1") = __limit; \ | ||
116 | register int __e asm("r0"); \ | 127 | register int __e asm("r0"); \ |
117 | switch (sizeof(*(__p))) { \ | 128 | switch (sizeof(*(__p))) { \ |
118 | case 1: \ | 129 | case 1: \ |
119 | __get_user_x(__r2, __p, __e, 1, "lr"); \ | 130 | __get_user_x(__r2, __p, __e, __l, 1); \ |
120 | break; \ | 131 | break; \ |
121 | case 2: \ | 132 | case 2: \ |
122 | __get_user_x(__r2, __p, __e, 2, "r3", "lr"); \ | 133 | __get_user_x(__r2, __p, __e, __l, 2); \ |
123 | break; \ | 134 | break; \ |
124 | case 4: \ | 135 | case 4: \ |
125 | __get_user_x(__r2, __p, __e, 4, "lr"); \ | 136 | __get_user_x(__r2, __p, __e, __l, 4); \ |
126 | break; \ | 137 | break; \ |
127 | default: __e = __get_user_bad(); break; \ | 138 | default: __e = __get_user_bad(); break; \ |
128 | } \ | 139 | } \ |
@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int); | |||
135 | extern int __put_user_4(void *, unsigned int); | 146 | extern int __put_user_4(void *, unsigned int); |
136 | extern int __put_user_8(void *, unsigned long long); | 147 | extern int __put_user_8(void *, unsigned long long); |
137 | 148 | ||
138 | #define __put_user_x(__r2,__p,__e,__s) \ | 149 | #define __put_user_x(__r2,__p,__e,__l,__s) \ |
139 | __asm__ __volatile__ ( \ | 150 | __asm__ __volatile__ ( \ |
140 | __asmeq("%0", "r0") __asmeq("%2", "r2") \ | 151 | __asmeq("%0", "r0") __asmeq("%2", "r2") \ |
152 | __asmeq("%3", "r1") \ | ||
141 | "bl __put_user_" #__s \ | 153 | "bl __put_user_" #__s \ |
142 | : "=&r" (__e) \ | 154 | : "=&r" (__e) \ |
143 | : "0" (__p), "r" (__r2) \ | 155 | : "0" (__p), "r" (__r2), "r" (__l) \ |
144 | : "ip", "lr", "cc") | 156 | : "ip", "lr", "cc") |
145 | 157 | ||
146 | #define put_user(x,p) \ | 158 | #define put_user(x,p) \ |
147 | ({ \ | 159 | ({ \ |
160 | unsigned long __limit = current_thread_info()->addr_limit - 1; \ | ||
148 | register const typeof(*(p)) __r2 asm("r2") = (x); \ | 161 | register const typeof(*(p)) __r2 asm("r2") = (x); \ |
149 | register const typeof(*(p)) __user *__p asm("r0") = (p);\ | 162 | register const typeof(*(p)) __user *__p asm("r0") = (p);\ |
163 | register unsigned long __l asm("r1") = __limit; \ | ||
150 | register int __e asm("r0"); \ | 164 | register int __e asm("r0"); \ |
151 | switch (sizeof(*(__p))) { \ | 165 | switch (sizeof(*(__p))) { \ |
152 | case 1: \ | 166 | case 1: \ |
153 | __put_user_x(__r2, __p, __e, 1); \ | 167 | __put_user_x(__r2, __p, __e, __l, 1); \ |
154 | break; \ | 168 | break; \ |
155 | case 2: \ | 169 | case 2: \ |
156 | __put_user_x(__r2, __p, __e, 2); \ | 170 | __put_user_x(__r2, __p, __e, __l, 2); \ |
157 | break; \ | 171 | break; \ |
158 | case 4: \ | 172 | case 4: \ |
159 | __put_user_x(__r2, __p, __e, 4); \ | 173 | __put_user_x(__r2, __p, __e, __l, 4); \ |
160 | break; \ | 174 | break; \ |
161 | case 8: \ | 175 | case 8: \ |
162 | __put_user_x(__r2, __p, __e, 8); \ | 176 | __put_user_x(__r2, __p, __e, __l, 8); \ |
163 | break; \ | 177 | break; \ |
164 | default: __e = __put_user_bad(); break; \ | 178 | default: __e = __put_user_bad(); break; \ |
165 | } \ | 179 | } \ |
diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S index 11093a7c3e32..9b06bb41fca6 100644 --- a/arch/arm/lib/getuser.S +++ b/arch/arm/lib/getuser.S | |||
@@ -16,8 +16,9 @@ | |||
16 | * __get_user_X | 16 | * __get_user_X |
17 | * | 17 | * |
18 | * Inputs: r0 contains the address | 18 | * Inputs: r0 contains the address |
19 | * r1 contains the address limit, which must be preserved | ||
19 | * Outputs: r0 is the error code | 20 | * Outputs: r0 is the error code |
20 | * r2, r3 contains the zero-extended value | 21 | * r2 contains the zero-extended value |
21 | * lr corrupted | 22 | * lr corrupted |
22 | * | 23 | * |
23 | * No other registers must be altered. (see <asm/uaccess.h> | 24 | * No other registers must be altered. (see <asm/uaccess.h> |
@@ -27,33 +28,39 @@ | |||
27 | * Note also that it is intended that __get_user_bad is not global. | 28 | * Note also that it is intended that __get_user_bad is not global. |
28 | */ | 29 | */ |
29 | #include <linux/linkage.h> | 30 | #include <linux/linkage.h> |
31 | #include <asm/assembler.h> | ||
30 | #include <asm/errno.h> | 32 | #include <asm/errno.h> |
31 | #include <asm/domain.h> | 33 | #include <asm/domain.h> |
32 | 34 | ||
33 | ENTRY(__get_user_1) | 35 | ENTRY(__get_user_1) |
36 | check_uaccess r0, 1, r1, r2, __get_user_bad | ||
34 | 1: TUSER(ldrb) r2, [r0] | 37 | 1: TUSER(ldrb) r2, [r0] |
35 | mov r0, #0 | 38 | mov r0, #0 |
36 | mov pc, lr | 39 | mov pc, lr |
37 | ENDPROC(__get_user_1) | 40 | ENDPROC(__get_user_1) |
38 | 41 | ||
39 | ENTRY(__get_user_2) | 42 | ENTRY(__get_user_2) |
40 | #ifdef CONFIG_THUMB2_KERNEL | 43 | check_uaccess r0, 2, r1, r2, __get_user_bad |
41 | 2: TUSER(ldrb) r2, [r0] | 44 | #ifdef CONFIG_CPU_USE_DOMAINS |
42 | 3: TUSER(ldrb) r3, [r0, #1] | 45 | rb .req ip |
46 | 2: ldrbt r2, [r0], #1 | ||
47 | 3: ldrbt rb, [r0], #0 | ||
43 | #else | 48 | #else |
44 | 2: TUSER(ldrb) r2, [r0], #1 | 49 | rb .req r0 |
45 | 3: TUSER(ldrb) r3, [r0] | 50 | 2: ldrb r2, [r0] |
51 | 3: ldrb rb, [r0, #1] | ||
46 | #endif | 52 | #endif |
47 | #ifndef __ARMEB__ | 53 | #ifndef __ARMEB__ |
48 | orr r2, r2, r3, lsl #8 | 54 | orr r2, r2, rb, lsl #8 |
49 | #else | 55 | #else |
50 | orr r2, r3, r2, lsl #8 | 56 | orr r2, rb, r2, lsl #8 |
51 | #endif | 57 | #endif |
52 | mov r0, #0 | 58 | mov r0, #0 |
53 | mov pc, lr | 59 | mov pc, lr |
54 | ENDPROC(__get_user_2) | 60 | ENDPROC(__get_user_2) |
55 | 61 | ||
56 | ENTRY(__get_user_4) | 62 | ENTRY(__get_user_4) |
63 | check_uaccess r0, 4, r1, r2, __get_user_bad | ||
57 | 4: TUSER(ldr) r2, [r0] | 64 | 4: TUSER(ldr) r2, [r0] |
58 | mov r0, #0 | 65 | mov r0, #0 |
59 | mov pc, lr | 66 | mov pc, lr |
diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S index 7db25990c589..3d73dcb959b0 100644 --- a/arch/arm/lib/putuser.S +++ b/arch/arm/lib/putuser.S | |||
@@ -16,6 +16,7 @@ | |||
16 | * __put_user_X | 16 | * __put_user_X |
17 | * | 17 | * |
18 | * Inputs: r0 contains the address | 18 | * Inputs: r0 contains the address |
19 | * r1 contains the address limit, which must be preserved | ||
19 | * r2, r3 contains the value | 20 | * r2, r3 contains the value |
20 | * Outputs: r0 is the error code | 21 | * Outputs: r0 is the error code |
21 | * lr corrupted | 22 | * lr corrupted |
@@ -27,16 +28,19 @@ | |||
27 | * Note also that it is intended that __put_user_bad is not global. | 28 | * Note also that it is intended that __put_user_bad is not global. |
28 | */ | 29 | */ |
29 | #include <linux/linkage.h> | 30 | #include <linux/linkage.h> |
31 | #include <asm/assembler.h> | ||
30 | #include <asm/errno.h> | 32 | #include <asm/errno.h> |
31 | #include <asm/domain.h> | 33 | #include <asm/domain.h> |
32 | 34 | ||
33 | ENTRY(__put_user_1) | 35 | ENTRY(__put_user_1) |
36 | check_uaccess r0, 1, r1, ip, __put_user_bad | ||
34 | 1: TUSER(strb) r2, [r0] | 37 | 1: TUSER(strb) r2, [r0] |
35 | mov r0, #0 | 38 | mov r0, #0 |
36 | mov pc, lr | 39 | mov pc, lr |
37 | ENDPROC(__put_user_1) | 40 | ENDPROC(__put_user_1) |
38 | 41 | ||
39 | ENTRY(__put_user_2) | 42 | ENTRY(__put_user_2) |
43 | check_uaccess r0, 2, r1, ip, __put_user_bad | ||
40 | mov ip, r2, lsr #8 | 44 | mov ip, r2, lsr #8 |
41 | #ifdef CONFIG_THUMB2_KERNEL | 45 | #ifdef CONFIG_THUMB2_KERNEL |
42 | #ifndef __ARMEB__ | 46 | #ifndef __ARMEB__ |
@@ -60,12 +64,14 @@ ENTRY(__put_user_2) | |||
60 | ENDPROC(__put_user_2) | 64 | ENDPROC(__put_user_2) |
61 | 65 | ||
62 | ENTRY(__put_user_4) | 66 | ENTRY(__put_user_4) |
67 | check_uaccess r0, 4, r1, ip, __put_user_bad | ||
63 | 4: TUSER(str) r2, [r0] | 68 | 4: TUSER(str) r2, [r0] |
64 | mov r0, #0 | 69 | mov r0, #0 |
65 | mov pc, lr | 70 | mov pc, lr |
66 | ENDPROC(__put_user_4) | 71 | ENDPROC(__put_user_4) |
67 | 72 | ||
68 | ENTRY(__put_user_8) | 73 | ENTRY(__put_user_8) |
74 | check_uaccess r0, 8, r1, ip, __put_user_bad | ||
69 | #ifdef CONFIG_THUMB2_KERNEL | 75 | #ifdef CONFIG_THUMB2_KERNEL |
70 | 5: TUSER(str) r2, [r0] | 76 | 5: TUSER(str) r2, [r0] |
71 | 6: TUSER(str) r3, [r0, #4] | 77 | 6: TUSER(str) r3, [r0, #4] |