Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4005957ybb; Mon, 23 Mar 2020 11:41:18 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvo9zSxrvw5WcLNmzKd3DzUTntdMshzhf5uSbk1QVIia3fxIUzasX9/hA859EtkgA4IqUlx X-Received: by 2002:a05:6830:616:: with SMTP id w22mr18422710oti.215.1584988878844; Mon, 23 Mar 2020 11:41:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584988878; cv=none; d=google.com; s=arc-20160816; b=SFJrHr0cgo4MyoZw/U27ETJaV/40R2dji6yr7HoXRWfLExFXNgQDF+cqkSBnpGn9P7 pbjnbeGUuxQDUwple8pZi5zCoZ1IqUUytE7vs0fwAcsu2Bn41/toAlUjmwd6alceX43b 3h7KRgTVCB0PSTSE3HQmGaL4vDhSRFsW/HAgn2SOL7JzVOIrYmBCa9XZLvUKpBEu6tql w8iw1x82NmI5YJv+pAz0eyvm2GqF0OPivzICXEux7fSSeE69KIQPE36GzfONIMi5wiHE vge4+9dwqqJ29pnBNkTNH+g/CW7JuzFqfp0WtjrKTmxQNyTZhkp2wCqWLn2H+cKezhxR ET5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=FnbAnyz5o+WWW8VwVFexKNfOX6io/p6stE9ttHM7B4A=; b=GmQKRxSpi5YavSue5QN1k3bQkHeoZwCd03POVTxJl5fYlXOk6rt6fOhw9CotBQtVsU /VMtbQi7k00f1rPaPpYBma3ab2kDvYQmEXSy53+ArnJa1vG+sy6n4YAwsTqGRKoDpjYE th1fhqQLO4+Vy1pAEbvQGu83NosVsgE3QgIwI/1h3KVuV4J+wnxktJ1wfbo3lgOsj6OM 5YpgOdK93mZNl1vLyH13AUM/PJNvss14QVXdOmQXpxgEPITENK+4TLcF+PLYrjhdR6Uu hPMO+UDzRAwmZiBTnRnhKMPSVdQtsh3uJ0gOAodFvhFdji4SRg2NLFVjYyuc7BtCGhau sguw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si3633298otj.49.2020.03.23.11.41.05; Mon, 23 Mar 2020 11:41:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727830AbgCWSjP (ORCPT + 99 others); Mon, 23 Mar 2020 14:39:15 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:46730 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727647AbgCWSiY (ORCPT ); Mon, 23 Mar 2020 14:38:24 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1jGRxs-00135K-Qt; Mon, 23 Mar 2020 18:38:20 +0000 From: Al Viro To: Linus Torvalds Cc: Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org Subject: [RFC][PATCH 05/22] vm86: get rid of get_user_ex() use Date: Mon, 23 Mar 2020 18:38:02 +0000 Message-Id: <20200323183819.250124-5-viro@ZenIV.linux.org.uk> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200323183819.250124-1-viro@ZenIV.linux.org.uk> References: <20200323183620.GD23230@ZenIV.linux.org.uk> <20200323183819.250124-1-viro@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Al Viro Just do a copyin of what we want into a local variable and be done with that. We are guaranteed to be on shallow stack here... Note that conditional expression for range passed to access_ok() in mainline had been pointless all along - the only difference between vm86plus_struct and vm86_struct is that the former has one extra field in the end and when we get to copyin of that field (conditional upon 'plus' argument), we use copy_from_user(). Moreover, all fields starting with ->int_revectored are copied that way, so we only need that check (be it done by access_ok() or by user_access_begin()) only on the beginning of the structure - the fields that used to be covered by that get_user_try() block. Signed-off-by: Al Viro --- arch/x86/kernel/vm86_32.c | 54 +++++++++++++++++++++-------------------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c index 91d55454e702..49b37eb01e99 100644 --- a/arch/x86/kernel/vm86_32.c +++ b/arch/x86/kernel/vm86_32.c @@ -243,6 +243,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus) struct kernel_vm86_regs vm86regs; struct pt_regs *regs = current_pt_regs(); unsigned long err = 0; + struct vm86_struct v; err = security_mmap_addr(0); if (err) { @@ -278,39 +279,32 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus) if (vm86->saved_sp0) return -EPERM; - if (!access_ok(user_vm86, plus ? - sizeof(struct vm86_struct) : - sizeof(struct vm86plus_struct))) + if (copy_from_user(&v, user_vm86, + offsetof(struct vm86_struct, int_revectored))) return -EFAULT; memset(&vm86regs, 0, sizeof(vm86regs)); - get_user_try { - unsigned short seg; - get_user_ex(vm86regs.pt.bx, &user_vm86->regs.ebx); - get_user_ex(vm86regs.pt.cx, &user_vm86->regs.ecx); - get_user_ex(vm86regs.pt.dx, &user_vm86->regs.edx); - get_user_ex(vm86regs.pt.si, &user_vm86->regs.esi); - get_user_ex(vm86regs.pt.di, &user_vm86->regs.edi); - get_user_ex(vm86regs.pt.bp, &user_vm86->regs.ebp); - get_user_ex(vm86regs.pt.ax, &user_vm86->regs.eax); - get_user_ex(vm86regs.pt.ip, &user_vm86->regs.eip); - get_user_ex(seg, &user_vm86->regs.cs); - vm86regs.pt.cs = seg; - get_user_ex(vm86regs.pt.flags, &user_vm86->regs.eflags); - get_user_ex(vm86regs.pt.sp, &user_vm86->regs.esp); - get_user_ex(seg, &user_vm86->regs.ss); - vm86regs.pt.ss = seg; - get_user_ex(vm86regs.es, &user_vm86->regs.es); - get_user_ex(vm86regs.ds, &user_vm86->regs.ds); - get_user_ex(vm86regs.fs, &user_vm86->regs.fs); - get_user_ex(vm86regs.gs, &user_vm86->regs.gs); - - get_user_ex(vm86->flags, &user_vm86->flags); - get_user_ex(vm86->screen_bitmap, &user_vm86->screen_bitmap); - get_user_ex(vm86->cpu_type, &user_vm86->cpu_type); - } get_user_catch(err); - if (err) - return err; + + vm86regs.pt.bx = v.regs.ebx; + vm86regs.pt.cx = v.regs.ecx; + vm86regs.pt.dx = v.regs.edx; + vm86regs.pt.si = v.regs.esi; + vm86regs.pt.di = v.regs.edi; + vm86regs.pt.bp = v.regs.ebp; + vm86regs.pt.ax = v.regs.eax; + vm86regs.pt.ip = v.regs.eip; + vm86regs.pt.cs = v.regs.cs; + vm86regs.pt.flags = v.regs.eflags; + vm86regs.pt.sp = v.regs.esp; + vm86regs.pt.ss = v.regs.ss; + vm86regs.es = v.regs.es; + vm86regs.ds = v.regs.ds; + vm86regs.fs = v.regs.fs; + vm86regs.gs = v.regs.gs; + + vm86->flags = v.flags; + vm86->screen_bitmap = v.screen_bitmap; + vm86->cpu_type = v.cpu_type; if (copy_from_user(&vm86->int_revectored, &user_vm86->int_revectored, -- 2.11.0