arm64: uaccess: consistently check object sizes
Currently in arm64's copy_{to,from}_user, we only check the source/destination object size if access_ok() tells us the user access is permissible. However, in copy_from_user() we'll subsequently zero any remainder on the destination object. If we failed the access_ok() check, that applies to the whole object size, which we didn't check. To ensure that we catch that case, this patch hoists check_object_size() to the start of copy_from_user(), matching __copy_from_user() and __copy_to_user(). To make all of our uaccess copy primitives consistent, the same is done to copy_to_user(). Cc: Catalin Marinas <catalin.marinas@arm.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Will Deacon <will.deacon@arm.com>
This commit is contained in:
parent
21bdbb7102
commit
76624175dc
@ -379,9 +379,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
|
|||||||
{
|
{
|
||||||
unsigned long res = n;
|
unsigned long res = n;
|
||||||
kasan_check_write(to, n);
|
kasan_check_write(to, n);
|
||||||
|
check_object_size(to, n, false);
|
||||||
|
|
||||||
if (access_ok(VERIFY_READ, from, n)) {
|
if (access_ok(VERIFY_READ, from, n)) {
|
||||||
check_object_size(to, n, false);
|
|
||||||
res = __arch_copy_from_user(to, from, n);
|
res = __arch_copy_from_user(to, from, n);
|
||||||
}
|
}
|
||||||
if (unlikely(res))
|
if (unlikely(res))
|
||||||
@ -392,9 +392,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
|
|||||||
static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
|
static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
|
||||||
{
|
{
|
||||||
kasan_check_read(from, n);
|
kasan_check_read(from, n);
|
||||||
|
check_object_size(from, n, true);
|
||||||
|
|
||||||
if (access_ok(VERIFY_WRITE, to, n)) {
|
if (access_ok(VERIFY_WRITE, to, n)) {
|
||||||
check_object_size(from, n, true);
|
|
||||||
n = __arch_copy_to_user(to, from, n);
|
n = __arch_copy_to_user(to, from, n);
|
||||||
}
|
}
|
||||||
return n;
|
return n;
|
||||||
|
Loading…
Reference in New Issue
Block a user