Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2270334pxb;
        Mon, 12 Apr 2021 20:16:00 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJykIiaMWUcu/UwCphkAr8L2SrnxiTOkYZejAyPrOBQjDd5wIiVumNJsEM/HwQGC+i1qsn82
X-Received: by 2002:a17:906:8293:: with SMTP id h19mr19409724ejx.217.1618283760016;
        Mon, 12 Apr 2021 20:16:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618283760; cv=none;
        d=google.com; s=arc-20160816;
        b=uVypnlavOZ4OYHLANMlzAufEbiz+yQ5WEkPBbS7wwd/wcKHh0cUX4zWbQCEZ70+cvH
         S3xgc2kcJ3p+ounni9zp+gzTxRGSl0GFYDhxUEQFRWj3Cl3+pxCHCJ926se/oB1DaJII
         rkniuuBRlN9LrA6x7JWU4zGHcvB5vge7asdJLsAjOz21G4GhjtcoUNAdTkwluu0d22Qo
         honDw8mm9rp0+04FW5t2b71WZjaXnHPy9UyDIiM5Ds5XPZt0tYmw4ph0p5kKnKDR555s
         sUXyP93jOhmZAeEV310HzcmjUJAjftWrz/FijE5OizqPmxmePfI4nkUenOX/283DER2R
         n8FQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=3QoOmj8PdrBg90VWJZ9fWm9OFF8JRajpmWecpd0jV3M=;
        b=TkQBgt4ssDYN6GPPkl1Yf32+vKCxMyHPwlpZTT5uyXiaLgDhoxH3mLn6CJhi7FGZMT
         35hfCUq35r0yN2p+p/PULmj3udC88r4mieiS/xzgHADyoW56gITcCES9XYUQrdq0fMlS
         gFENC5Vk3YslmmwMPqgErfOYf/MREyu2NzCBZBxJ4LIVniqL5LVF2d6kigerT3wqKJ9A
         1efFP4yRfQjLz67Yo/NevmfBjrimyf/lnZ6biTgyxinnGEBZql9vWfqRcOxn1+izYkhq
         SpECWMsWcOyRCHEFtiUCbJQoCCR10CZtbFF2O979F+GxSW6hFCqy5rLmzQjiI5B59kwY
         QwDA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id za7si5620613ejb.52.2021.04.12.20.15.37;
        Mon, 12 Apr 2021 20:16:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242278AbhDLOhT (ORCPT <rfc822;linux.whf@gmail.com> + 99 others);
        Mon, 12 Apr 2021 10:37:19 -0400
Received: from elvis.franken.de ([193.175.24.41]:45417 "EHLO elvis.franken.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S238789AbhDLOhT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Apr 2021 10:37:19 -0400
Received: from uucp (helo=alpha)
        by elvis.franken.de with local-bsmtp (Exim 3.36 #1)
        id 1lVxgR-0006ax-00; Mon, 12 Apr 2021 16:36:59 +0200
Received: by alpha.franken.de (Postfix, from userid 1000)
        id 8E128C01E5; Mon, 12 Apr 2021 16:27:30 +0200 (CEST)
Date:   Mon, 12 Apr 2021 16:27:30 +0200
From:   Thomas Bogendoerfer <tsbogend@alpha.franken.de>
To:     Tiezhu Yang <yangtiezhu@loongson.cn>
Cc:     Jinyang He <hejinyang@loongson.cn>, linux-mips@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] MIPS: Fix strnlen_user access check
Message-ID: <20210412142730.GA23146@alpha.franken.de>
References: <1618139092-4018-1-git-send-email-hejinyang@loongson.cn>
 <cbe5e79b-ee6c-5c59-0051-28e4d1152666@loongson.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cbe5e79b-ee6c-5c59-0051-28e4d1152666@loongson.cn>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Apr 12, 2021 at 11:02:19AM +0800, Tiezhu Yang wrote:
> On 04/11/2021 07:04 PM, Jinyang He wrote:
> > Commit 04324f44cb69 ("MIPS: Remove get_fs/set_fs") brought a problem for
> > strnlen_user(). Jump out when checking access_ok() with condition that
> > (s + strlen(s)) < __UA_LIMIT <= (s + n). The old __strnlen_user_asm()
> > just checked (ua_limit & s) without checking (ua_limit & (s + n)).
> > Therefore, find strlen form s to __UA_LIMIT - 1 in that condition.
> > 
> > Signed-off-by: Jinyang He <hejinyang@loongson.cn>
> > ---
> >   arch/mips/include/asm/uaccess.h | 11 +++++++++--
> >   1 file changed, 9 insertions(+), 2 deletions(-)
> > 
> > diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
> > index 91bc7fb..85ba0c8 100644
> > --- a/arch/mips/include/asm/uaccess.h
> > +++ b/arch/mips/include/asm/uaccess.h
> > @@ -630,8 +630,15 @@ static inline long strnlen_user(const char __user *s, long n)
> >   {
> >   	long res;
> > -	if (!access_ok(s, n))
> > -		return -0;
> > +	if (unlikely(n <= 0))
> > +		return 0;
> > +
> > +	if (!access_ok(s, n)) {
> > +		if (!access_ok(s, 0))
> > +			return 0;
> > +
> > +		n = __UA_LIMIT - (unsigned long)s - 1;
> > +	}
> >   	might_fault();
> >   	__asm__ __volatile__(
> 
> The following simple changes are OK to fix this issue?
> 
> diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
> index 91bc7fb..eafc99b 100644
> --- a/arch/mips/include/asm/uaccess.h
> +++ b/arch/mips/include/asm/uaccess.h
> @@ -630,8 +630,8 @@ static inline long strnlen_user(const char __user *s, long n)
>  {
>         long res;
> -       if (!access_ok(s, n))
> -               return -0;
> +       if (!access_ok(s, 1))
> +               return 0;
>         might_fault();
>         __asm__ __volatile__(

that's the fix I'd like to apply. Could someone send it as a formal
patch ? Thanks.

Thomas.

-- 
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea.                                                [ RFC1925, 2.3 ]