From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Max Filippov <jcmvbkbc@gmail.com>,
Sasha Levin <sashal@kernel.org>,
linux-xtensa@linux-xtensa.org
Subject: [PATCH AUTOSEL 4.4 12/17] xtensa: fix {get,put}_user() for 64bit values
Date: Sat, 26 Oct 2019 09:22:56 -0400 [thread overview]
Message-ID: <20191026132302.4622-12-sashal@kernel.org> (raw)
In-Reply-To: <20191026132302.4622-1-sashal@kernel.org>
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 6595d144decec396bf2e2efee27e50634a4b627f ]
First of all, on short copies __copy_{to,from}_user() return the amount
of bytes left uncopied, *not* -EFAULT. get_user() and put_user() are
expected to return -EFAULT on failure.
Another problem is get_user(v32, (__u64 __user *)p); that should
fetch 64bit value and the assign it to v32, truncating it in process.
Current code, OTOH, reads 8 bytes of data and stores them at the
address of v32, stomping on the 4 bytes that follow v32 itself.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/xtensa/include/asm/uaccess.h | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/arch/xtensa/include/asm/uaccess.h b/arch/xtensa/include/asm/uaccess.h
index 147b26ed9c91f..42133985a19a1 100644
--- a/arch/xtensa/include/asm/uaccess.h
+++ b/arch/xtensa/include/asm/uaccess.h
@@ -245,7 +245,7 @@ do { \
case 4: __put_user_asm(x, ptr, retval, 4, "s32i", __cb); break; \
case 8: { \
__typeof__(*ptr) __v64 = x; \
- retval = __copy_to_user(ptr, &__v64, 8); \
+ retval = __copy_to_user(ptr, &__v64, 8) ? -EFAULT : 0; \
break; \
} \
default: __put_user_bad(); \
@@ -344,7 +344,16 @@ do { \
case 1: __get_user_asm(x, ptr, retval, 1, "l8ui", __cb); break;\
case 2: __get_user_asm(x, ptr, retval, 2, "l16ui", __cb); break;\
case 4: __get_user_asm(x, ptr, retval, 4, "l32i", __cb); break;\
- case 8: retval = __copy_from_user(&x, ptr, 8); break; \
+ case 8: { \
+ u64 __x; \
+ if (unlikely(__copy_from_user(&__x, ptr, 8))) { \
+ retval = -EFAULT; \
+ (x) = 0; \
+ } else { \
+ (x) = *(__force __typeof__((ptr)))&__x; \
+ } \
+ break; \
+ } \
default: (x) = __get_user_bad(); \
} \
} while (0)
--
2.20.1
next prev parent reply other threads:[~2019-10-26 13:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-26 13:22 [PATCH AUTOSEL 4.4 01/17] iommu/arm-smmu: Free context bitmap in the err path of arm_smmu_init_domain_context Sasha Levin
2019-10-26 13:22 ` Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 02/17] mac80211_hwsim: fix incorrect dev_alloc_name failure goto Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 03/17] mac80211: accept deauth frames in IBSS mode Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 04/17] llc: fix sk_buff leak in llc_sap_state_process() Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 05/17] llc: fix sk_buff leak in llc_conn_service() Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 06/17] llc: fix another potential sk_buff leak in llc_ui_sendmsg() Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 07/17] llc: fix sk_buff refcounting in llc_conn_state_process() Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 08/17] net: stmmac: fix length of PTP clock's name string Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 09/17] bonding: fix potential NULL deref in bond_update_slave_arr Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 10/17] drm/msm/dsi: Implement reset correctly Sasha Levin
2019-10-26 13:22 ` Sasha Levin
2019-10-26 13:22 ` Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 11/17] hrtimer: Annotate lockless access to timer->base Sasha Levin
2019-10-26 13:22 ` Sasha Levin [this message]
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 13/17] net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 14/17] net: usb: sr9800: fix uninitialized local variable Sasha Levin
2019-10-26 13:22 ` [PATCH AUTOSEL 4.4 15/17] usb: hso: obey DMA rules in tiocmget Sasha Levin
2019-10-26 13:23 ` [PATCH AUTOSEL 4.4 16/17] ocfs2: fix error handling in ocfs2_setattr() Sasha Levin
2019-10-26 13:23 ` [PATCH AUTOSEL 4.4 17/17] scripts/gdb: fix debugging modules on s390 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191026132302.4622-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jcmvbkbc@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xtensa@linux-xtensa.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.