Commit 6ff15f8d authored by Ingo Molnar's avatar Ingo Molnar

x86/fpu: Change 'size_total' parameter to unsigned and standardize the size...

x86/fpu: Change 'size_total' parameter to unsigned and standardize the size checks in copy_xstate_to_*()

'size_total' is derived from an unsigned input parameter - and then converted
to 'int' and checked for negative ranges:

	if (size_total < 0 || offset < size_total) {

This conversion and the checks are unnecessary obfuscation, reject overly
large requested copy sizes outright and simplify the underlying code.
Reported-by: default avatarRik van Riel <riel@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
Link: http://lkml.kernel.org/r/20170923130016.21448-10-mingo@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
parent 56583c9a
...@@ -925,15 +925,11 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, ...@@ -925,15 +925,11 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
* the source data pointer or increment pos, count, kbuf, and ubuf. * the source data pointer or increment pos, count, kbuf, and ubuf.
*/ */
static inline int static inline int
__copy_xstate_to_kernel(void *kbuf, __copy_xstate_to_kernel(void *kbuf, const void *data,
const void *data, unsigned int offset, unsigned int size, unsigned int size_total)
unsigned int offset, unsigned int size, int size_total)
{ {
if (!size) if (offset < size_total) {
return 0; unsigned int copy = min(size, size_total - offset);
if (size_total < 0 || offset < size_total) {
unsigned int copy = size_total < 0 ? size : min(size, size_total - offset);
memcpy(kbuf + offset, data, copy); memcpy(kbuf + offset, data, copy);
} }
...@@ -986,12 +982,13 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of ...@@ -986,12 +982,13 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
offset = xstate_offsets[i]; offset = xstate_offsets[i];
size = xstate_sizes[i]; size = xstate_sizes[i];
/* The next component has to fit fully into the output buffer: */
if (offset + size > size_total)
break;
ret = __copy_xstate_to_kernel(kbuf, src, offset, size, size_total); ret = __copy_xstate_to_kernel(kbuf, src, offset, size, size_total);
if (ret) if (ret)
return ret; return ret;
if (offset + size >= size_total)
break;
} }
} }
...@@ -1010,13 +1007,13 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of ...@@ -1010,13 +1007,13 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
} }
static inline int static inline int
__copy_xstate_to_user(void __user *ubuf, const void *data, unsigned int offset, unsigned int size, int size_total) __copy_xstate_to_user(void __user *ubuf, const void *data, unsigned int offset, unsigned int size, unsigned int size_total)
{ {
if (!size) if (!size)
return 0; return 0;
if (size_total < 0 || offset < size_total) { if (offset < size_total) {
unsigned int copy = size_total < 0 ? size : min(size, size_total - offset); unsigned int copy = min(size, size_total - offset);
if (__copy_to_user(ubuf + offset, data, copy)) if (__copy_to_user(ubuf + offset, data, copy))
return -EFAULT; return -EFAULT;
...@@ -1069,12 +1066,13 @@ int copy_xstate_to_user(void __user *ubuf, struct xregs_state *xsave, unsigned i ...@@ -1069,12 +1066,13 @@ int copy_xstate_to_user(void __user *ubuf, struct xregs_state *xsave, unsigned i
offset = xstate_offsets[i]; offset = xstate_offsets[i];
size = xstate_sizes[i]; size = xstate_sizes[i];
/* The next component has to fit fully into the output buffer: */
if (offset + size > size_total)
break;
ret = __copy_xstate_to_user(ubuf, src, offset, size, size_total); ret = __copy_xstate_to_user(ubuf, src, offset, size, size_total);
if (ret) if (ret)
return ret; return ret;
if (offset + size >= size_total)
break;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment