mirror of
https://github.com/torvalds/linux
synced 2024-10-21 10:49:43 +00:00
884b426917
If copy_from_user is called with a large buffer (>= 128 bytes) and the
userspace buffer refers partially to unreadable memory, then it is
possible for Octeon's copy_from_user to report the wrong number of bytes
have been copied. In the case where the buffer size is an exact multiple
of 128 and the fault occurs in the last 64 bytes, copy_from_user will
report that all the bytes were copied successfully but leave some
garbage in the destination buffer.
The bug is in the main __copy_user_common loop in octeon-memcpy.S where
in the middle of the loop, src and dst are incremented by 128 bytes. The
l_exc_copy fault handler is used after this but that assumes that
"src < THREAD_BUADDR($28)". This is not the case if src has already been
incremented.
Fix by adding an extra fault handler which rewinds the src and dst
pointers 128 bytes before falling though to l_exc_copy.
Thanks to the pwritev test from the strace test suite for originally
highlighting this bug!
Fixes:
|
||
|---|---|---|
| .. | ||
| crypto | ||
| executive | ||
| cpu.c | ||
| csrc-octeon.c | ||
| dma-octeon.c | ||
| flash_setup.c | ||
| Kconfig | ||
| Makefile | ||
| oct_ilm.c | ||
| octeon-irq.c | ||
| octeon-memcpy.S | ||
| octeon-platform.c | ||
| octeon-usb.c | ||
| octeon_boot.h | ||
| Platform | ||
| setup.c | ||
| smp.c | ||