4 files changed, 34 insertions, 1 deletions
diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
index 2283933a9a93..45e0c6199f36 100644
--- a/arch/s390/Kconfig.debug
+++ b/arch/s390/Kconfig.debug
@@ -6,4 +6,17 @@ config TRACE_IRQFLAGS_SUPPORT
 source "lib/Kconfig.debug"
+config DEBUG_STRICT_USER_COPY_CHECKS
+        bool "Strict user copy size checks"
+        ---help---
+          Enabling this option turns a certain set of sanity checks for user
+          copy operations into compile time warnings.
+          The copy_from_user() etc checks are there to help test if there
+          are sufficient security checks on the length argument of
+          the copy operation, by having gcc prove that the argument is
+          within bounds.
+          If unsure, or if you run an older (pre 4.4) gcc, say N.
 endmenu
diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index cbf0a8745bf4..d6b1ed0ec52b 100644
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -265,6 +265,12 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
                return uaccess.copy_from_user(n, from, to);
 }
+extern void copy_from_user_overflow(void)
+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
+__compiletime_warning("copy_from_user() buffer size is not provably correct")
+#endif
+;
 /**
 * copy_from_user: - Copy a block of data from user space.
 * @to:   Destination address, in kernel space.
@@ -284,7 +290,13 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
 static inline unsigned long __must_check
 copy_from_user(void *to, const void __user *from, unsigned long n)
 {
+        unsigned int sz = __compiletime_object_size(to);
        might_fault();
+        if (unlikely(sz != -1 && sz < n)) {
+                copy_from_user_overflow();
+                return n;
+        }
        if (access_ok(VERIFY_READ, from, n))
                n = __copy_from_user(to, from, n);
        else
diff --git a/arch/s390/lib/Makefile b/arch/s390/lib/Makefile
index 97975ec7a274..cd54a1c352af 100644
--- a/arch/s390/lib/Makefile
+++ b/arch/s390/lib/Makefile
@@ -2,7 +2,7 @@
 # Makefile for s390-specific library files..
 #
-lib-y += delay.o string.o uaccess_std.o uaccess_pt.o
+lib-y += delay.o string.o uaccess_std.o uaccess_pt.o usercopy.o
 obj-$(CONFIG_32BIT) += div64.o qrnnd.o ucmpdi2.o
 lib-$(CONFIG_64BIT) += uaccess_mvcos.o
 lib-$(CONFIG_SMP) += spinlock.o
diff --git a/arch/s390/lib/usercopy.c b/arch/s390/lib/usercopy.c
new file mode 100644
index 000000000000..14b363fec8a2
--- /dev/null
+++ b/arch/s390/lib/usercopy.c
@@ -0,0 +1,8 @@
+#include <linux/module.h>
+#include <linux/bug.h>
+void copy_from_user_overflow(void)
+{
+        WARN(1, "Buffer overflow detected!\n");
+}
+EXPORT_SYMBOL(copy_from_user_overflow);

diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug index 2283933a9a93..45e0c6199f36 100644 --- a/arch/s390/Kconfig.debug +++ b/arch/s390/Kconfig.debug
@@ -6,4 +6,17 @@ config TRACE_IRQFLAGS_SUPPORT
6		6
7	source "lib/Kconfig.debug"	7	source "lib/Kconfig.debug"
8		8
		9	config DEBUG_STRICT_USER_COPY_CHECKS
		10	bool "Strict user copy size checks"
		11	---help---
		12	Enabling this option turns a certain set of sanity checks for user
		13	copy operations into compile time warnings.
		14
		15	The copy_from_user() etc checks are there to help test if there
		16	are sufficient security checks on the length argument of
		17	the copy operation, by having gcc prove that the argument is
		18	within bounds.
		19
		20	If unsure, or if you run an older (pre 4.4) gcc, say N.
		21
9	endmenu	22	endmenu


diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h index cbf0a8745bf4..d6b1ed0ec52b 100644 --- a/arch/s390/include/asm/uaccess.h +++ b/arch/s390/include/asm/uaccess.h
@@ -265,6 +265,12 @@ __copy_from_user(void to, const void __user from, unsigned long n)
265	return uaccess.copy_from_user(n, from, to);	265	return uaccess.copy_from_user(n, from, to);
266	}	266	}
267		267
		268	extern void copy_from_user_overflow(void)
		269	#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
		270	__compiletime_warning("copy_from_user() buffer size is not provably correct")
		271	#endif
		272	;
		273
268	/**	274	/**
269	* copy_from_user: - Copy a block of data from user space.	275	* copy_from_user: - Copy a block of data from user space.
270	* @to: Destination address, in kernel space.	276	* @to: Destination address, in kernel space.
@@ -284,7 +290,13 @@ __copy_from_user(void to, const void __user from, unsigned long n)
284	static inline unsigned long __must_check	290	static inline unsigned long __must_check
285	copy_from_user(void to, const void __user from, unsigned long n)	291	copy_from_user(void to, const void __user from, unsigned long n)
286	{	292	{
		293	unsigned int sz = __compiletime_object_size(to);
		294
287	might_fault();	295	might_fault();
		296	if (unlikely(sz != -1 && sz < n)) {
		297	copy_from_user_overflow();
		298	return n;
		299	}
288	if (access_ok(VERIFY_READ, from, n))	300	if (access_ok(VERIFY_READ, from, n))
289	n = __copy_from_user(to, from, n);	301	n = __copy_from_user(to, from, n);
290	else	302	else


diff --git a/arch/s390/lib/Makefile b/arch/s390/lib/Makefile index 97975ec7a274..cd54a1c352af 100644 --- a/arch/s390/lib/Makefile +++ b/arch/s390/lib/Makefile
@@ -2,7 +2,7 @@
2	# Makefile for s390-specific library files..	2	# Makefile for s390-specific library files..
3	#	3	#
4		4
5	lib-y += delay.o string.o uaccess_std.o uaccess_pt.o	5	lib-y += delay.o string.o uaccess_std.o uaccess_pt.o usercopy.o
6	obj-$(CONFIG_32BIT) += div64.o qrnnd.o ucmpdi2.o	6	obj-$(CONFIG_32BIT) += div64.o qrnnd.o ucmpdi2.o
7	lib-$(CONFIG_64BIT) += uaccess_mvcos.o	7	lib-$(CONFIG_64BIT) += uaccess_mvcos.o
8	lib-$(CONFIG_SMP) += spinlock.o	8	lib-$(CONFIG_SMP) += spinlock.o


diff --git a/arch/s390/lib/usercopy.c b/arch/s390/lib/usercopy.c new file mode 100644 index 000000000000..14b363fec8a2 --- /dev/null +++ b/arch/s390/lib/usercopy.c
@@ -0,0 +1,8 @@
		1	#include <linux/module.h>
		2	#include <linux/bug.h>
		3
		4	void copy_from_user_overflow(void)
		5	{
		6	WARN(1, "Buffer overflow detected!\n");
		7	}
		8	EXPORT_SYMBOL(copy_from_user_overflow);