Commit ab10ae1c authored by Christophe Leroy's avatar Christophe Leroy Committed by Linus Torvalds
Browse files

lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() 



The range passed to user_access_begin() by strncpy_from_user() and
strnlen_user() starts at 'src' and goes up to the limit of userspace
although reads will be limited by the 'count' param.

On 32 bits powerpc (book3s/32) access has to be granted for each
256Mbytes segment and the cost increases with the number of segments to
unlock.

Limit the range with 'count' param.

Fixes: 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 838a860a

lib/strncpy_from_user.c

+7 −7
Original line number Diff line number Diff line
@@ -30,13 +30,6 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src, 
	const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;

	unsigned long res = 0;



	/*

	 * Truncate 'max' to the user-specified limit, so that

	 * we only have one limit we need to check in the loop

	 */

	if (max > count)

		max = count;



	if (IS_UNALIGNED(src, dst))

		goto byte_at_a_time;
@@ -114,6 +107,13 @@ long strncpy_from_user(char *dst, const char __user *src, long count) 
		unsigned long max = max_addr - src_addr;

		long retval;



		/*

		 * Truncate 'max' to the user-specified limit, so that

		 * we only have one limit we need to check in the loop

		 */

		if (max > count)

			max = count;



		kasan_check_write(dst, count);

		check_object_size(dst, count, false);

		if (user_access_begin(src, max)) {

lib/strnlen_user.c

+7 −7
Original line number Diff line number Diff line
@@ -26,13 +26,6 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, 
	unsigned long align, res = 0;

	unsigned long c;



	/*

	 * Truncate 'max' to the user-specified limit, so that

	 * we only have one limit we need to check in the loop

	 */

	if (max > count)

		max = count;



	/*

	 * Do everything aligned. But that means that we

	 * need to also expand the maximum..
@@ -109,6 +102,13 @@ long strnlen_user(const char __user *str, long count) 
		unsigned long max = max_addr - src_addr;

		long retval;



		/*

		 * Truncate 'max' to the user-specified limit, so that

		 * we only have one limit we need to check in the loop

		 */

		if (max > count)

			max = count;



		if (user_access_begin(str, max)) {

			retval = do_strnlen_user(str, count, max);

			user_access_end();

CRA Git | Maintained and supported by SUSTech CRA and CCSE