[tip:x86/fpu] x86/fpu: Change 'size_total' parameter to unsigned and standardize the size checks in copy_xstate_to_*()
From: tip-bot for Ingo Molnar
Date: Tue Sep 26 2017 - 04:32:54 EST
Commit-ID: 6ff15f8db7eaf29ef5ead6afbec9b25485fe8703
Gitweb: http://git.kernel.org/tip/6ff15f8db7eaf29ef5ead6afbec9b25485fe8703
Author: Ingo Molnar <mingo@xxxxxxxxxx>
AuthorDate: Sat, 23 Sep 2017 14:59:52 +0200
Committer: Ingo Molnar <mingo@xxxxxxxxxx>
CommitDate: Sun, 24 Sep 2017 13:04:32 +0200
x86/fpu: Change 'size_total' parameter to unsigned and standardize the size checks in copy_xstate_to_*()
'size_total' is derived from an unsigned input parameter - and then converted
to 'int' and checked for negative ranges:
if (size_total < 0 || offset < size_total) {
This conversion and the checks are unnecessary obfuscation, reject overly
large requested copy sizes outright and simplify the underlying code.
Reported-by: Rik van Riel <riel@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Cc: Andy Lutomirski <luto@xxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: Eric Biggers <ebiggers3@xxxxxxxxx>
Cc: Fenghua Yu <fenghua.yu@xxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: Oleg Nesterov <oleg@xxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
Link: http://lkml.kernel.org/r/20170923130016.21448-10-mingo@xxxxxxxxxx
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
---
arch/x86/kernel/fpu/xstate.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index c130835..b18c545 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -925,15 +925,11 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
* the source data pointer or increment pos, count, kbuf, and ubuf.
*/
static inline int
-__copy_xstate_to_kernel(void *kbuf,
- const void *data,
- unsigned int offset, unsigned int size, int size_total)
+__copy_xstate_to_kernel(void *kbuf, const void *data,
+ unsigned int offset, unsigned int size, unsigned int size_total)
{
- if (!size)
- return 0;
-
- if (size_total < 0 || offset < size_total) {
- unsigned int copy = size_total < 0 ? size : min(size, size_total - offset);
+ if (offset < size_total) {
+ unsigned int copy = min(size, size_total - offset);
memcpy(kbuf + offset, data, copy);
}
@@ -986,12 +982,13 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
offset = xstate_offsets[i];
size = xstate_sizes[i];
+ /* The next component has to fit fully into the output buffer: */
+ if (offset + size > size_total)
+ break;
+
ret = __copy_xstate_to_kernel(kbuf, src, offset, size, size_total);
if (ret)
return ret;
-
- if (offset + size >= size_total)
- break;
}
}
@@ -1010,13 +1007,13 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
}
static inline int
-__copy_xstate_to_user(void __user *ubuf, const void *data, unsigned int offset, unsigned int size, int size_total)
+__copy_xstate_to_user(void __user *ubuf, const void *data, unsigned int offset, unsigned int size, unsigned int size_total)
{
if (!size)
return 0;
- if (size_total < 0 || offset < size_total) {
- unsigned int copy = size_total < 0 ? size : min(size, size_total - offset);
+ if (offset < size_total) {
+ unsigned int copy = min(size, size_total - offset);
if (__copy_to_user(ubuf + offset, data, copy))
return -EFAULT;
@@ -1069,12 +1066,13 @@ int copy_xstate_to_user(void __user *ubuf, struct xregs_state *xsave, unsigned i
offset = xstate_offsets[i];
size = xstate_sizes[i];
+ /* The next component has to fit fully into the output buffer: */
+ if (offset + size > size_total)
+ break;
+
ret = __copy_xstate_to_user(ubuf, src, offset, size, size_total);
if (ret)
return ret;
-
- if (offset + size >= size_total)
- break;
}
}