lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user()
commit ab10ae1c3bef56c29bac61e1201c752221b87b41 upstream.
The range passed to user_access_begin() by strncpy_from_user() and
strnlen_user() starts at 'src' and goes up to the limit of userspace
although reads will be limited by the 'count' param.
On 32 bits powerpc (book3s/32) access has to be granted for each
256Mbytes segment and the cost increases with the number of segments to
unlock.
Limit the range with 'count' param.
Fixes: 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Christophe Leroy
Greg Kroah-Hartman
parent
b46395f443
commit
e18590b3e2
2 changed files with 14 additions and 14 deletions
|
|
@ -29,13 +29,6 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src,
|
|||
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
|
||||
unsigned long res = 0;
|
||||
|
||||
/*
|
||||
* Truncate 'max' to the user-specified limit, so that
|
||||
* we only have one limit we need to check in the loop
|
||||
*/
|
||||
if (max > count)
|
||||
max = count;
|
||||
|
||||
if (IS_UNALIGNED(src, dst))
|
||||
goto byte_at_a_time;
|
||||
|
||||
|
|
@ -113,6 +106,13 @@ long strncpy_from_user(char *dst, const char __user *src, long count)
|
|||
unsigned long max = max_addr - src_addr;
|
||||
long retval;
|
||||
|
||||
/*
|
||||
* Truncate 'max' to the user-specified limit, so that
|
||||
* we only have one limit we need to check in the loop
|
||||
*/
|
||||
if (max > count)
|
||||
max = count;
|
||||
|
||||
kasan_check_write(dst, count);
|
||||
check_object_size(dst, count, false);
|
||||
if (user_access_begin(VERIFY_READ, src, max)) {
|
||||
|
|
|
|||
|
|
@ -31,13 +31,6 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
|
|||
unsigned long align, res = 0;
|
||||
unsigned long c;
|
||||
|
||||
/*
|
||||
* Truncate 'max' to the user-specified limit, so that
|
||||
* we only have one limit we need to check in the loop
|
||||
*/
|
||||
if (max > count)
|
||||
max = count;
|
||||
|
||||
/*
|
||||
* Do everything aligned. But that means that we
|
||||
* need to also expand the maximum..
|
||||
|
|
@ -114,6 +107,13 @@ long strnlen_user(const char __user *str, long count)
|
|||
unsigned long max = max_addr - src_addr;
|
||||
long retval;
|
||||
|
||||
/*
|
||||
* Truncate 'max' to the user-specified limit, so that
|
||||
* we only have one limit we need to check in the loop
|
||||
*/
|
||||
if (max > count)
|
||||
max = count;
|
||||
|
||||
if (user_access_begin(VERIFY_READ, str, max)) {
|
||||
retval = do_strnlen_user(str, count, max);
|
||||
user_access_end();
|
||||
|
|
|
|||
Loading…
Reference in a new issue