[patch V3 5/6] x86/fpu: Add address range checks to copy_user_to_xstate()

From: Thomas Gleixner
Date: Tue Jun 08 2021 - 10:49:42 EST


From: Andy Lutomirski <luto@xxxxxxxxxx>

copy_user_to_xstate() uses __copy_from_user(), which provides a negligible
speedup. Fortunately, both call sites are at least almost correct.
__fpu__restore_sig() checks access_ok() with a length of
xstate_sigframe_size() and ptrace regset access uses fpu_user_xstate_size.
These should be valid upper bounds on the length, so, at worst, this would
cause spurious failures and not accesses to kernel memory.

Nonetheless, this is far more fragile than necessary and none of these
callers are in a hotpath.

Use copy_from_user() instead.

Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
---
arch/x86/kernel/fpu/xstate.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1190,7 +1190,7 @@ int copy_user_to_xstate(struct xregs_sta
offset = offsetof(struct xregs_state, header);
size = sizeof(hdr);

- if (__copy_from_user(&hdr, ubuf + offset, size))
+ if (copy_from_user(&hdr, ubuf + offset, size))
return -EFAULT;

if (validate_user_xstate_header(&hdr))
@@ -1205,7 +1205,7 @@ int copy_user_to_xstate(struct xregs_sta
offset = xstate_offsets[i];
size = xstate_sizes[i];

- if (__copy_from_user(dst, ubuf + offset, size))
+ if (copy_from_user(dst, ubuf + offset, size))
return -EFAULT;
}
}
@@ -1213,7 +1213,7 @@ int copy_user_to_xstate(struct xregs_sta
if (xfeatures_mxcsr_quirk(hdr.xfeatures)) {
offset = offsetof(struct fxregs_state, mxcsr);
size = MXCSR_AND_FLAGS_SIZE;
- if (__copy_from_user(&xsave->i387.mxcsr, ubuf + offset, size))
+ if (copy_from_user(&xsave->i387.mxcsr, ubuf + offset, size))
return -EFAULT;
}