diff options
author | wma <wma@FreeBSD.org> | 2016-03-24 13:28:33 +0000 |
---|---|---|
committer | wma <wma@FreeBSD.org> | 2016-03-24 13:28:33 +0000 |
commit | 9141d11115042913496baa463193e17cb83fb6ac (patch) | |
tree | 42e3fda47e2a4ae38699542eb58311e0b461f812 /sys/arm64 | |
parent | a460d0156798a8e88ab4f60947b9180e7a9c13b5 (diff) | |
download | FreeBSD-src-9141d11115042913496baa463193e17cb83fb6ac.zip FreeBSD-src-9141d11115042913496baa463193e17cb83fb6ac.tar.gz |
arm64: Fixing user space boudary checking in copyinout.S
Big buffer size could cause integer overflow and as a result
attempt to copy beyond VM_USERMAX_ADDRESS.
Fixing copyinstr boundary checking where compared value has been
overwritten by accident when setting fault handler.
Submitted by: Dominik Ermel <der@semihalf.com>
Obtained from: Semihalf
Sponsored by: Cavium
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D5719
Diffstat (limited to 'sys/arm64')
-rw-r--r-- | sys/arm64/arm64/copyinout.S | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/arm64/arm64/copyinout.S b/sys/arm64/arm64/copyinout.S index a146ac9..b99dbc2 100644 --- a/sys/arm64/arm64/copyinout.S +++ b/sys/arm64/arm64/copyinout.S @@ -52,7 +52,8 @@ END(copyio_fault) */ ENTRY(copyout) cbz x2, 1f - add x3, x1, x2 + adds x3, x1, x2 + b.cs copyio_fault_nopcb ldr x4, =VM_MAXUSER_ADDRESS cmp x3, x4 b.hi copyio_fault_nopcb @@ -71,7 +72,8 @@ END(copyout) */ ENTRY(copyin) cbz x2, 1f - add x3, x0, x2 + adds x3, x0, x2 + b.cs copyio_fault_nopcb ldr x4, =VM_MAXUSER_ADDRESS cmp x3, x4 b.hi copyio_fault_nopcb @@ -92,11 +94,11 @@ ENTRY(copyinstr) mov x5, xzr /* count = 0 */ mov w4, #1 /* If zero return faulure */ cbz x2, 3f /* If len == 0 then skip loop */ - ldr x7, =VM_MAXUSER_ADDRESS adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ + ldr x7, =VM_MAXUSER_ADDRESS 1: cmp x0, x7 b.cs copyio_fault ldrb w4, [x0], #1 /* Load from uaddr */ |