From 9141d11115042913496baa463193e17cb83fb6ac Mon Sep 17 00:00:00 2001 From: wma Date: Thu, 24 Mar 2016 13:28:33 +0000 Subject: arm64: Fixing user space boudary checking in copyinout.S Big buffer size could cause integer overflow and as a result attempt to copy beyond VM_USERMAX_ADDRESS. Fixing copyinstr boundary checking where compared value has been overwritten by accident when setting fault handler. Submitted by: Dominik Ermel Obtained from: Semihalf Sponsored by: Cavium Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D5719 --- sys/arm64/arm64/copyinout.S | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sys/arm64') diff --git a/sys/arm64/arm64/copyinout.S b/sys/arm64/arm64/copyinout.S index a146ac9..b99dbc2 100644 --- a/sys/arm64/arm64/copyinout.S +++ b/sys/arm64/arm64/copyinout.S @@ -52,7 +52,8 @@ END(copyio_fault) */ ENTRY(copyout) cbz x2, 1f - add x3, x1, x2 + adds x3, x1, x2 + b.cs copyio_fault_nopcb ldr x4, =VM_MAXUSER_ADDRESS cmp x3, x4 b.hi copyio_fault_nopcb @@ -71,7 +72,8 @@ END(copyout) */ ENTRY(copyin) cbz x2, 1f - add x3, x0, x2 + adds x3, x0, x2 + b.cs copyio_fault_nopcb ldr x4, =VM_MAXUSER_ADDRESS cmp x3, x4 b.hi copyio_fault_nopcb @@ -92,11 +94,11 @@ ENTRY(copyinstr) mov x5, xzr /* count = 0 */ mov w4, #1 /* If zero return faulure */ cbz x2, 3f /* If len == 0 then skip loop */ - ldr x7, =VM_MAXUSER_ADDRESS adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ + ldr x7, =VM_MAXUSER_ADDRESS 1: cmp x0, x7 b.cs copyio_fault ldrb w4, [x0], #1 /* Load from uaddr */ -- cgit v1.1