evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

metag/uaccess: Check access_ok in strncpy_from_user

Browse source 
commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream.

The metag implementation of strncpy_from_user() doesn't validate the src
pointer, which could allow reading of arbitrary kernel memory. Add a
short access_ok() check to prevent that.

Its still possible for it to read across the user/kernel boundary, but
it will invariably reach a NUL character after only 9 bytes, leaking
only a static kernel address being loaded into D0Re0 at the beginning of
__start, which is acceptable for the immediate fix.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
James Hogan 2017-05-02 19:41:06 +01:00 committed by Greg Kroah-Hartman
parent 2d9b2e7808
commit ca19dd15e7
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
arch/metag/include/asm/uaccess.h
View file

@ -194,8 +194,13 @@ do { \
extern long __must_check __strncpy_from_user(char *dst, const char __user *src, extern long __must_check __strncpy_from_user(char *dst, const char __user *src,
long count); long count);
#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count) static inline long
strncpy_from_user(char *dst, const char __user *src, long count)
{
if (!access_ok(VERIFY_READ, src, 1))
return -EFAULT;
return __strncpy_from_user(dst, src, count);
}
/* /*
* Return the size of a string (including the ending 0) * Return the size of a string (including the ending 0)
* *