Commit 1897f50c authored May 02, 2017 by James Hogan Committed by Greg Kroah-Hartman May 25, 2017

metag/uaccess: Check access_ok in strncpy_from_user



commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream.

The metag implementation of strncpy_from_user() doesn't validate the src
pointer, which could allow reading of arbitrary kernel memory. Add a
short access_ok() check to prevent that.

Its still possible for it to read across the user/kernel boundary, but
it will invariably reach a NUL character after only 9 bytes, leaking
only a static kernel address being loaded into D0Re0 at the beginning of
__start, which is acceptable for the immediate fix.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 1ee04c4b

arch/metag/include/asm/uaccess.h

+7 −2

Original line number	Original line	Diff line number	Diff line
	@@ -189,8 +189,13 @@ do { \
	extern long __must_check __strncpy_from_user(char dst, const char __user src,		extern long __must_check __strncpy_from_user(char dst, const char __user src,
	long count);		long count);

	#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count)		static inline long
			strncpy_from_user(char dst, const char __user src, long count)
			{
			if (!access_ok(VERIFY_READ, src, 1))
			return -EFAULT;
			return __strncpy_from_user(dst, src, count);
			}
	/*		/*
	* Return the size of a string (including the ending 0)		* Return the size of a string (including the ending 0)
	*		*