0749708352
This makes the newly optimized x86 strncpy_from_user clear the final
bytes in the word past the final NUL character, rather than copy them as
the word they were in the source.
NOTE! Unlike the silly semantics of the libc 'strncpy()' function, the
kernel strncpy_from_user() has never cleared all of the end of the
destination buffer. And neither does it do so now: it only clears the
bytes at the end of the last word it copied.
So why make this change at all? It doesn't really cost us anything extra
(we have to calculate the mask to get the length anyway), and it means
that *if* any user actually cares about zeroing the whole buffer, they
can do a "memset()" before the strncpy_from_user(), and we will no
longer write random bytes after the NUL character.
In particular, the buffer contents will now at no point contain random
source data from beyond the end of the string.
In other words, it makes behavior a bit more repeatable at no new cost,
so it's a small cleanup. I've been carrying this as a patch for the
last few weeks or so in my tree (done at the same time the sign error
was fixed in commit 12e993b894), I might as well commit it.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
142 lines
3.3 KiB
C
142 lines
3.3 KiB
C
/*
|
|
* User address space access functions.
|
|
*
|
|
* For licencing details see kernel-base/COPYING
|
|
*/
|
|
|
|
#include <linux/highmem.h>
|
|
#include <linux/module.h>
|
|
|
|
#include <asm/word-at-a-time.h>
|
|
|
|
/*
|
|
* best effort, GUP based copy_from_user() that is NMI-safe
|
|
*/
|
|
unsigned long
|
|
copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
|
|
{
|
|
unsigned long offset, addr = (unsigned long)from;
|
|
unsigned long size, len = 0;
|
|
struct page *page;
|
|
void *map;
|
|
int ret;
|
|
|
|
do {
|
|
ret = __get_user_pages_fast(addr, 1, 0, &page);
|
|
if (!ret)
|
|
break;
|
|
|
|
offset = addr & (PAGE_SIZE - 1);
|
|
size = min(PAGE_SIZE - offset, n - len);
|
|
|
|
map = kmap_atomic(page);
|
|
memcpy(to, map+offset, size);
|
|
kunmap_atomic(map);
|
|
put_page(page);
|
|
|
|
len += size;
|
|
to += size;
|
|
addr += size;
|
|
|
|
} while (len < n);
|
|
|
|
return len;
|
|
}
|
|
EXPORT_SYMBOL_GPL(copy_from_user_nmi);
|
|
|
|
/*
|
|
* Do a strncpy, return length of string without final '\0'.
|
|
* 'count' is the user-supplied count (return 'count' if we
|
|
* hit it), 'max' is the address space maximum (and we return
|
|
* -EFAULT if we hit it).
|
|
*/
|
|
static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
|
|
{
|
|
long res = 0;
|
|
|
|
/*
|
|
* Truncate 'max' to the user-specified limit, so that
|
|
* we only have one limit we need to check in the loop
|
|
*/
|
|
if (max > count)
|
|
max = count;
|
|
|
|
while (max >= sizeof(unsigned long)) {
|
|
unsigned long c, mask;
|
|
|
|
/* Fall back to byte-at-a-time if we get a page fault */
|
|
if (unlikely(__get_user(c,(unsigned long __user *)(src+res))))
|
|
break;
|
|
mask = has_zero(c);
|
|
if (mask) {
|
|
mask = (mask - 1) & ~mask;
|
|
mask >>= 7;
|
|
*(unsigned long *)(dst+res) = c & mask;
|
|
return res + count_masked_bytes(mask);
|
|
}
|
|
*(unsigned long *)(dst+res) = c;
|
|
res += sizeof(unsigned long);
|
|
max -= sizeof(unsigned long);
|
|
}
|
|
|
|
while (max) {
|
|
char c;
|
|
|
|
if (unlikely(__get_user(c,src+res)))
|
|
return -EFAULT;
|
|
dst[res] = c;
|
|
if (!c)
|
|
return res;
|
|
res++;
|
|
max--;
|
|
}
|
|
|
|
/*
|
|
* Uhhuh. We hit 'max'. But was that the user-specified maximum
|
|
* too? If so, that's ok - we got as much as the user asked for.
|
|
*/
|
|
if (res >= count)
|
|
return res;
|
|
|
|
/*
|
|
* Nope: we hit the address space limit, and we still had more
|
|
* characters the caller would have wanted. That's an EFAULT.
|
|
*/
|
|
return -EFAULT;
|
|
}
|
|
|
|
/**
|
|
* strncpy_from_user: - Copy a NUL terminated string from userspace.
|
|
* @dst: Destination address, in kernel space. This buffer must be at
|
|
* least @count bytes long.
|
|
* @src: Source address, in user space.
|
|
* @count: Maximum number of bytes to copy, including the trailing NUL.
|
|
*
|
|
* Copies a NUL-terminated string from userspace to kernel space.
|
|
*
|
|
* On success, returns the length of the string (not including the trailing
|
|
* NUL).
|
|
*
|
|
* If access to userspace fails, returns -EFAULT (some data may have been
|
|
* copied).
|
|
*
|
|
* If @count is smaller than the length of the string, copies @count bytes
|
|
* and returns @count.
|
|
*/
|
|
long
|
|
strncpy_from_user(char *dst, const char __user *src, long count)
|
|
{
|
|
unsigned long max_addr, src_addr;
|
|
|
|
if (unlikely(count <= 0))
|
|
return 0;
|
|
|
|
max_addr = current_thread_info()->addr_limit.seg;
|
|
src_addr = (unsigned long)src;
|
|
if (likely(src_addr < max_addr)) {
|
|
unsigned long max = max_addr - src_addr;
|
|
return do_strncpy_from_user(dst, src, count, max);
|
|
}
|
|
return -EFAULT;
|
|
}
|
|
EXPORT_SYMBOL(strncpy_from_user);
|