Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1450021pxb; Sun, 11 Apr 2021 20:35:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvFVGZ69Hk2Hq7VpQRjDODOpkDb3qHn/ko9Ns3P8Ou1I6PfOiBmsHozEl+btwN5DVCuquH X-Received: by 2002:a17:902:7594:b029:e8:c21b:76aa with SMTP id j20-20020a1709027594b02900e8c21b76aamr24478539pll.37.1618198522433; Sun, 11 Apr 2021 20:35:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618198522; cv=none; d=google.com; s=arc-20160816; b=HxVOtRto3ZcYKL7+LGwD9wFtZLAxGKfU+P+WF1HvyvWyrXzLRyHMxBrn1QcOC5vOW5 DCdqrzeKZG6qb/AAI5yjBPkrMFijdS5c7vV2ylwqVGKEC0Cw/pLGiXvIAfM1w1J9EF1a gVxpVIj/QGzpv3sJh53teKBbhneqjIM09XHAxwAs4VqCxUefiJPqP+tFUBsmmuB/3X7g 7ujeMf/ihXf317f9+hYzLHgs+CKN+7aYisyeXuMjo/peIJ1bumvizdsmeiDFr52AJvXc AwUVk2ehyul6S5P6h3TO1HgqZyJh2LKaes/KvykJLq1yDj7jUbfBEeZLs2MEA3RnIdQv WVvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=YLqslbGsHVWgp7jIdMo5/lawlWv78Igs0wqGDuTlCTQ=; b=w+urXNi/kLLGlIepHhtxYdreG4ff9qcqRepDHkjmsakL9zxcczy8tzRfTSsg6BNruY FnaWuuAykKKWdWa9G821id5c+subIFGMr/jO0ic0QnqkUPjKwUbEe5toFeYdMK/qVwHG 8ii/6RquLBO2HaeyfdTX/h7qNJQV3/h1lk5dM11kmT/c0JS1Sv6yc1ZXtNG8hClsvUWs pW+IXlDAYCFba5NL5jz07KLdjg/QmhrZr5cIbI+B8mya5xcTB7GYDgfjSwS4udYZ8MO3 Lc6xSml4EtBQcsKSQGQBSlWwE/PtUaJsEpnR0RkBJ1EeLLNZcu/PlxiQc/xSnM5IVs6U LSuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w1si12172120pgp.157.2021.04.11.20.35.08; Sun, 11 Apr 2021 20:35:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236410AbhDLDDJ (ORCPT + 99 others); Sun, 11 Apr 2021 23:03:09 -0400 Received: from mail.loongson.cn ([114.242.206.163]:46202 "EHLO loongson.cn" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S235857AbhDLDDI (ORCPT ); Sun, 11 Apr 2021 23:03:08 -0400 Received: from [10.130.0.135] (unknown [113.200.148.30]) by mail.loongson.cn (Coremail) with SMTP id AQAAf9AxHck7uHNg698GAA--.9221S3; Mon, 12 Apr 2021 11:02:19 +0800 (CST) Subject: Re: [PATCH] MIPS: Fix strnlen_user access check To: Jinyang He , Thomas Bogendoerfer References: <1618139092-4018-1-git-send-email-hejinyang@loongson.cn> Cc: linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org From: Tiezhu Yang Message-ID: Date: Mon, 12 Apr 2021 11:02:19 +0800 User-Agent: Mozilla/5.0 (X11; Linux mips64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <1618139092-4018-1-git-send-email-hejinyang@loongson.cn> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CM-TRANSID: AQAAf9AxHck7uHNg698GAA--.9221S3 X-Coremail-Antispam: 1UD129KBjvJXoW7tw17XFWxCFWUAF4ktw1UKFg_yoW8WrW8pF s3Aw1kKFs0gryfAa4ay3y2qF1rGws8Gr1Y9a42gr1UZF1qvw15trWSkr1q93y8JFs8Aa4x WFWSqrn5Wr1jvw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvC14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVCY1x0267AKxV WxJr0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2Wl Yx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbV WUJVW8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7I2V7IY0VAS07Al zVAYIcxG8wCY02Avz4vE14v_Gr4l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr 0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY 17CE14v26r126r1DMIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcV C0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF 0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2Kf nxnUUI43ZEXa7VUjHGQDUUUUU== X-CM-SenderInfo: p1dqw3xlh2x3gn0dqz5rrqw2lrqou0/ Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/11/2021 07:04 PM, Jinyang He wrote: > Commit 04324f44cb69 ("MIPS: Remove get_fs/set_fs") brought a problem for > strnlen_user(). Jump out when checking access_ok() with condition that > (s + strlen(s)) < __UA_LIMIT <= (s + n). The old __strnlen_user_asm() > just checked (ua_limit & s) without checking (ua_limit & (s + n)). > Therefore, find strlen form s to __UA_LIMIT - 1 in that condition. > > Signed-off-by: Jinyang He > --- > arch/mips/include/asm/uaccess.h | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h > index 91bc7fb..85ba0c8 100644 > --- a/arch/mips/include/asm/uaccess.h > +++ b/arch/mips/include/asm/uaccess.h > @@ -630,8 +630,15 @@ static inline long strnlen_user(const char __user *s, long n) > { > long res; > > - if (!access_ok(s, n)) > - return -0; > + if (unlikely(n <= 0)) > + return 0; > + > + if (!access_ok(s, n)) { > + if (!access_ok(s, 0)) > + return 0; > + > + n = __UA_LIMIT - (unsigned long)s - 1; > + } > > might_fault(); > __asm__ __volatile__( The following simple changes are OK to fix this issue? diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h index 91bc7fb..eafc99b 100644 --- a/arch/mips/include/asm/uaccess.h +++ b/arch/mips/include/asm/uaccess.h @@ -630,8 +630,8 @@ static inline long strnlen_user(const char __user *s, long n) { long res; - if (!access_ok(s, n)) - return -0; + if (!access_ok(s, 1)) + return 0; might_fault(); __asm__ __volatile__( Thanks, Tiezhu