Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2013417ybb; Thu, 26 Mar 2020 19:35:06 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuPl0vwx5oUJXWrkZKDH6WlbbfwGKQrM3d+03ZKq42pIZRteic7UgHLpuBflbjwcKrqHdBn X-Received: by 2002:aca:7213:: with SMTP id p19mr2622347oic.159.1585276506366; Thu, 26 Mar 2020 19:35:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585276506; cv=none; d=google.com; s=arc-20160816; b=e0/Pse+B39IxM1km6ZyXNu+BOdsY5tISU2cve1FVHRbSAha16TmXFnsOO8lD17UR8u VP6+WZxwBb79gKOjky+fb+ZB5BZRqtvTz4bEHeL9O4Q+NB+AtLO7T7E6VqO5hWTYtxIG qv3Fj3UmQTKj/Tvj86+8FEE+dSaYwIBw+l19HonQOE6GOeoWF2US2wbeC8R06WhTon2Y az5cptYOIJo6QnKQHOk3WJKebz4RAGQRdKpCL6QNF8kosZGmp2upHUPn5woc0RkFxnf6 +oktX+zUUaUwryOCdwBQKYjKCcM2smKfQGRzX9dj5fL/L2ZuJgF+tULBUJ/xymJvVoqW GORg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=FnbAnyz5o+WWW8VwVFexKNfOX6io/p6stE9ttHM7B4A=; b=JPC+5DdJyVtIKJOrLAy9d6NHYsRTO/3ShV6/pNFlw6KUPd99vn5HeoiJN+kzYJPRF4 IvxAAeIs2ZV67VMjSKIdGTE2Y11FaLWxxCCXzoyCX2oRyMF8JNA/ftsJtLcRig1Oo6Cz xu2p9d17q5/pYOeiAm6phpg8drvZEXLsgu4qoOHkJWDPlpI1K1GW+xQnev06O3ACaY4a 4Od9KcFvdyhBr9FYYv18RgROY3mltNjxCApc17XPwXlBU4flOFQlGOreiFZL87pWqhuZ pcUoEKluvVFiMzv1Myln1D6bScxCDh+UL64Bg0vAS3Xt6GUodaCqDqdtaA7hSKquNcyk DSaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q6si1916158otg.84.2020.03.26.19.34.54; Thu, 26 Mar 2020 19:35:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728043AbgC0CdE (ORCPT + 99 others); Thu, 26 Mar 2020 22:33:04 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:48036 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727835AbgC0CcK (ORCPT ); Thu, 26 Mar 2020 22:32:10 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHemz-003hR9-Q3; Fri, 27 Mar 2020 02:32:05 +0000 From: Al Viro To: Linus Torvalds Cc: Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org Subject: [RFC][PATCH v2 05/22] vm86: get rid of get_user_ex() use Date: Fri, 27 Mar 2020 02:31:48 +0000 Message-Id: <20200327023205.881896-5-viro@ZenIV.linux.org.uk> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200327023205.881896-1-viro@ZenIV.linux.org.uk> References: <20200327023007.GS23230@ZenIV.linux.org.uk> <20200327023205.881896-1-viro@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Al Viro Just do a copyin of what we want into a local variable and be done with that. We are guaranteed to be on shallow stack here... Note that conditional expression for range passed to access_ok() in mainline had been pointless all along - the only difference between vm86plus_struct and vm86_struct is that the former has one extra field in the end and when we get to copyin of that field (conditional upon 'plus' argument), we use copy_from_user(). Moreover, all fields starting with ->int_revectored are copied that way, so we only need that check (be it done by access_ok() or by user_access_begin()) only on the beginning of the structure - the fields that used to be covered by that get_user_try() block. Signed-off-by: Al Viro --- arch/x86/kernel/vm86_32.c | 54 +++++++++++++++++++++-------------------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c index 91d55454e702..49b37eb01e99 100644 --- a/arch/x86/kernel/vm86_32.c +++ b/arch/x86/kernel/vm86_32.c @@ -243,6 +243,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus) struct kernel_vm86_regs vm86regs; struct pt_regs *regs = current_pt_regs(); unsigned long err = 0; + struct vm86_struct v; err = security_mmap_addr(0); if (err) { @@ -278,39 +279,32 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus) if (vm86->saved_sp0) return -EPERM; - if (!access_ok(user_vm86, plus ? - sizeof(struct vm86_struct) : - sizeof(struct vm86plus_struct))) + if (copy_from_user(&v, user_vm86, + offsetof(struct vm86_struct, int_revectored))) return -EFAULT; memset(&vm86regs, 0, sizeof(vm86regs)); - get_user_try { - unsigned short seg; - get_user_ex(vm86regs.pt.bx, &user_vm86->regs.ebx); - get_user_ex(vm86regs.pt.cx, &user_vm86->regs.ecx); - get_user_ex(vm86regs.pt.dx, &user_vm86->regs.edx); - get_user_ex(vm86regs.pt.si, &user_vm86->regs.esi); - get_user_ex(vm86regs.pt.di, &user_vm86->regs.edi); - get_user_ex(vm86regs.pt.bp, &user_vm86->regs.ebp); - get_user_ex(vm86regs.pt.ax, &user_vm86->regs.eax); - get_user_ex(vm86regs.pt.ip, &user_vm86->regs.eip); - get_user_ex(seg, &user_vm86->regs.cs); - vm86regs.pt.cs = seg; - get_user_ex(vm86regs.pt.flags, &user_vm86->regs.eflags); - get_user_ex(vm86regs.pt.sp, &user_vm86->regs.esp); - get_user_ex(seg, &user_vm86->regs.ss); - vm86regs.pt.ss = seg; - get_user_ex(vm86regs.es, &user_vm86->regs.es); - get_user_ex(vm86regs.ds, &user_vm86->regs.ds); - get_user_ex(vm86regs.fs, &user_vm86->regs.fs); - get_user_ex(vm86regs.gs, &user_vm86->regs.gs); - - get_user_ex(vm86->flags, &user_vm86->flags); - get_user_ex(vm86->screen_bitmap, &user_vm86->screen_bitmap); - get_user_ex(vm86->cpu_type, &user_vm86->cpu_type); - } get_user_catch(err); - if (err) - return err; + + vm86regs.pt.bx = v.regs.ebx; + vm86regs.pt.cx = v.regs.ecx; + vm86regs.pt.dx = v.regs.edx; + vm86regs.pt.si = v.regs.esi; + vm86regs.pt.di = v.regs.edi; + vm86regs.pt.bp = v.regs.ebp; + vm86regs.pt.ax = v.regs.eax; + vm86regs.pt.ip = v.regs.eip; + vm86regs.pt.cs = v.regs.cs; + vm86regs.pt.flags = v.regs.eflags; + vm86regs.pt.sp = v.regs.esp; + vm86regs.pt.ss = v.regs.ss; + vm86regs.es = v.regs.es; + vm86regs.ds = v.regs.ds; + vm86regs.fs = v.regs.fs; + vm86regs.gs = v.regs.gs; + + vm86->flags = v.flags; + vm86->screen_bitmap = v.screen_bitmap; + vm86->cpu_type = v.cpu_type; if (copy_from_user(&vm86->int_revectored, &user_vm86->int_revectored, -- 2.11.0