From patchwork Mon May 5 06:13:58 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Ryabinin X-Patchwork-Id: 4111971 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 3EFB2BFF02 for ; Mon, 5 May 2014 06:21:31 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6C91C2037D for ; Mon, 5 May 2014 06:21:30 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D589E2037A for ; Mon, 5 May 2014 06:21:28 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1WhCEl-0002mI-0W; Mon, 05 May 2014 06:18:51 +0000 Received: from mailout3.w1.samsung.com ([210.118.77.13]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1WhCEi-0002fS-0v for linux-arm-kernel@lists.infradead.org; Mon, 05 May 2014 06:18:49 +0000 Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0N5300JK786JQ100@mailout3.w1.samsung.com> for linux-arm-kernel@lists.infradead.org; Mon, 05 May 2014 07:18:19 +0100 (BST) X-AuditID: cbfec7f5-b7fae6d000004d6d-55-53672d2bfa92 Received: from eusync1.samsung.com ( [203.254.199.211]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id C9.17.19821.B2D27635; Mon, 05 May 2014 07:18:19 +0100 (BST) Received: from localhost.localdomain ([106.109.128.4]) by eusync1.samsung.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPA id <0N53001W686EQO20@eusync1.samsung.com>; Mon, 05 May 2014 07:18:19 +0100 (BST) From: Andrey Ryabinin To: linux@arm.linux.org.uk Subject: [PATCH] arm: put_user: fix possible data corruption in put_user Date: Mon, 05 May 2014 10:13:58 +0400 Message-id: <1399270438-26181-1-git-send-email-a.ryabinin@samsung.com> X-Mailer: git-send-email 1.8.3.2 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrLJMWRmVeSWpSXmKPExsVy+t/xy7rauunBBnPfC1ts+/WIzWLT42us Fpd3zWGzuH2Z1+LTs3/sFi8/nmBxYPNYM28No0dLcw+bx51re9g8Ni+p9+jbsorR4/MmuQC2 KC6blNSczLLUIn27BK6M1z+msBcc4Kxo2r+auYHxKnsXIyeHhICJxOWFLUwQtpjEhXvr2boY uTiEBJYySjxfuYQVwulhkljRuBqsg01AT+LfrO1sILaIgJTEjJ1L2UGKmAUWM0qseP2EGSQh LOAhceBDG1gDi4CqxNx3h8BsXgE3ifbPk9gg1ilILPuylnkCI/cCRoZVjKKppckFxUnpuUZ6 xYm5xaV56XrJ+bmbGCFB8nUH49JjVocYBTgYlXh4PbxTgoVYE8uKK3MPMUpwMCuJ8M5iTA8W 4k1JrKxKLcqPLyrNSS0+xMjEwSnVwNg5eb4XQ3TID36JG84nGLz9Sir0Wnbez9N9/Xk2n6rj worMGbWzH6xXt5F0e1bS8XlzdtumaVeu9BeLC4Qce/Bpja9H+MpXx0OcOF6tKLt0S+mH1lyx yR0C+p4rBS2EFYIyNes2h+5YIKaWMX3xrYfrvKMn9WzTfBB58kvXxi1+P5pD3svaeiuxFGck GmoxFxUnAgD+pw0r8AEAAA== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20140504_231848_216098_859DE833 X-CRM114-Status: UNSURE ( 8.90 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -5.7 (-----) Cc: nicolas.pitre@linaro.org, Andrey Ryabinin , will.deacon@arm.com, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP According to arm procedure call standart r2 register is call-cloberred. So after the result of x expression was put into r2 any following function call in p may overwrite r2. To fix this, the result of p expression must be saved to the temporary variable before the assigment x expression to __r2. Signed-off-by: Andrey Ryabinin Reviewed-by: Nicolas Pitre --- arch/arm/include/asm/uaccess.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h index 12c3a5d..4b584ac 100644 --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -171,8 +171,9 @@ extern int __put_user_8(void *, unsigned long long); #define __put_user_check(x,p) \ ({ \ unsigned long __limit = current_thread_info()->addr_limit - 1; \ + const typeof(*(p)) __user *tmp_p = (p); \ register const typeof(*(p)) __r2 asm("r2") = (x); \ - register const typeof(*(p)) __user *__p asm("r0") = (p);\ + register const typeof(*(p)) __user *__p asm("r0") = tmp_p; \ register unsigned long __l asm("r1") = __limit; \ register int __e asm("r0"); \ switch (sizeof(*(__p))) { \