提交 f45655f6 编写于 作者: H Heiko Carstens 提交者: Martin Schwidefsky

s390/uaccess: fix strncpy_from_user/strnlen_user zero maxlen case

If the maximum length specified for the to be accessed string for
strncpy_from_user() and strnlen_user() is zero the following incorrect
values would be returned or incorrect memory accesses would happen:

strnlen_user_std() and strnlen_user_pt() incorrectly return "1"
strncpy_from_user_pt() would incorrectly access "dst[maxlen - 1]"
strncpy_from_user_mvcos() would incorrectly return "-EFAULT"

Fix all these oddities by adding early checks.
Reviewed-by: NGerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
上级 d7b788cd
......@@ -184,6 +184,8 @@ static size_t strncpy_from_user_mvcos(size_t count, const char __user *src,
{
size_t done, len, offset, len_str;
if (unlikely(!count))
return 0;
done = 0;
do {
offset = (size_t)src & ~PAGE_MASK;
......
......@@ -172,6 +172,8 @@ static size_t strnlen_user_pt(size_t count, const char __user *src)
unsigned long offset, done, len, kaddr;
size_t len_str;
if (unlikely(!count))
return 0;
if (segment_eq(get_fs(), KERNEL_DS))
return strnlen((const char __kernel __force *) src, count) + 1;
done = 0;
......@@ -202,6 +204,8 @@ static size_t strncpy_from_user_pt(size_t count, const char __user *src,
{
size_t n = strnlen_user_pt(count, src);
if (unlikely(!count))
return 0;
if (!n)
return -EFAULT;
if (n > count)
......
......@@ -188,6 +188,8 @@ size_t strnlen_user_std(size_t size, const char __user *src)
register unsigned long reg0 asm("0") = 0UL;
unsigned long tmp1, tmp2;
if (unlikely(!size))
return 0;
asm volatile(
" la %2,0(%1)\n"
" la %3,0(%0,%1)\n"
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册