summaryrefslogtreecommitdiff
path: root/arch/metag
diff options
context:
space:
mode:
authorJames Hogan <james.hogan@imgtec.com>2017-05-02 19:41:06 +0100
committerJames Hogan <james.hogan@imgtec.com>2017-05-02 21:11:32 +0100
commit3a158a62da0673db918b53ac1440845a5b64fd90 (patch)
tree6ba8e4c284d1caf5dbbc2a813dc6b214d6e097d5 /arch/metag
parent8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb (diff)
metag/uaccess: Check access_ok in strncpy_from_user
The metag implementation of strncpy_from_user() doesn't validate the src pointer, which could allow reading of arbitrary kernel memory. Add a short access_ok() check to prevent that. Its still possible for it to read across the user/kernel boundary, but it will invariably reach a NUL character after only 9 bytes, leaking only a static kernel address being loaded into D0Re0 at the beginning of __start, which is acceptable for the immediate fix. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: linux-metag@vger.kernel.org Cc: stable@vger.kernel.org
Diffstat (limited to 'arch/metag')
-rw-r--r--arch/metag/include/asm/uaccess.h9
1 files changed, 7 insertions, 2 deletions
diff --git a/arch/metag/include/asm/uaccess.h b/arch/metag/include/asm/uaccess.h
index 1e5f26d2dce8..500f1be6e0fe 100644
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -199,8 +199,13 @@ do { \
extern long __must_check __strncpy_from_user(char *dst, const char __user *src,
long count);
-#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count)
-
+static inline long
+strncpy_from_user(char *dst, const char __user *src, long count)
+{
+ if (!access_ok(VERIFY_READ, src, 1))
+ return -EFAULT;
+ return __strncpy_from_user(dst, src, count);
+}
/*
* Return the size of a string (including the ending 0)
*