diff mbox

arm64: avoid multiple evaluation of ptr in get_user/put_user()

Message ID 524154C2.1080303@linaro.org (mailing list archive)
State New, archived
Headers show

Commit Message

AKASHI Takahiro Sept. 24, 2013, 9 a.m. UTC 
get_user() is defined as a function macro in arm64, and trace_get_user()
calls it as followed:
     get_user(ch, ptr++);
Since the second parameter occurs twice in the definition, 'ptr++' is
unexpectedly evaluated twice and trace_get_user() will generate a bogus
string from user-provided one. As a result, some ftrace sysfs operations,
like "echo FUNCNAME > set_ftrace_filter," hit this case and eventually fail.
This patch fixes the issue both in get_user() and put_user().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
  arch/arm64/include/asm/uaccess.h |   12 ++++++++----
  1 file changed, 8 insertions(+), 4 deletions(-)

  ({									\
+	__typeof__(*(ptr)) *optr = (ptr);				\
+									\
  	might_fault();							\
-	access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ?		\
-		__put_user((x), (ptr)) :				\
+	access_ok(VERIFY_WRITE, optr, sizeof(*optr)) ?			\
+		__put_user((x), optr) :					\
  		-EFAULT;						\
  })
  -- 1.7.9.5

Comments

Catalin Marinas Sept. 24, 2013, 2:05 p.m. UTC | #1 
On Tue, Sep 24, 2013 at 10:00:50AM +0100, AKASHI Takahiro wrote:
> get_user() is defined as a function macro in arm64, and trace_get_user()
> calls it as followed:
>      get_user(ch, ptr++);
> Since the second parameter occurs twice in the definition, 'ptr++' is
> unexpectedly evaluated twice and trace_get_user() will generate a bogus
> string from user-provided one. As a result, some ftrace sysfs operations,
> like "echo FUNCNAME > set_ftrace_filter," hit this case and eventually fail.
> This patch fixes the issue both in get_user() and put_user().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>   arch/arm64/include/asm/uaccess.h |   12 ++++++++----
>   1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index edb3d5c..bbeab83 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -166,9 +166,11 @@ do {									\
>    #define get_user(x, ptr)						\
>   ({									\
> +	__typeof__(*(ptr)) *optr = (ptr);				\

I think this should be:

	__typeof__(*(ptr)) __user *optr = (ptr);

Otherwise the patch looks fine. I can fix the above.

Thanks.
Catalin Marinas Sept. 24, 2013, 2:25 p.m. UTC | #2 
On Tue, Sep 24, 2013 at 10:00:50AM +0100, AKASHI Takahiro wrote:
> get_user() is defined as a function macro in arm64, and trace_get_user()
> calls it as followed:
>      get_user(ch, ptr++);
> Since the second parameter occurs twice in the definition, 'ptr++' is
> unexpectedly evaluated twice and trace_get_user() will generate a bogus
> string from user-provided one. As a result, some ftrace sysfs operations,
> like "echo FUNCNAME > set_ftrace_filter," hit this case and eventually fail.
> This patch fixes the issue both in get_user() and put_user().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>   arch/arm64/include/asm/uaccess.h |   12 ++++++++----
>   1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index edb3d5c..bbeab83 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -166,9 +166,11 @@ do {									\
>    #define get_user(x, ptr)						\
>   ({									\
> +	__typeof__(*(ptr)) *optr = (ptr);				\
> +									\
>   	might_fault();							\
> -	access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) ?			\
> -		__get_user((x), (ptr)) :				\
> +	access_ok(VERIFY_READ, optr, sizeof(*optr)) ?			\
> +		__get_user((x), optr) :					\
>   		((x) = 0, -EFAULT);					\
>   })
>   @@ -227,9 +229,11 @@ do {									\
>    #define put_user(x, ptr)						\
>   ({									\
> +	__typeof__(*(ptr)) *optr = (ptr);				\
> +									\
>   	might_fault();							\
> -	access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ?		\
> -		__put_user((x), (ptr)) :				\
> +	access_ok(VERIFY_WRITE, optr, sizeof(*optr)) ?			\
> +		__put_user((x), optr) :					\
>   		-EFAULT;						\
>   })
>   -- 1.7.9.5

BTW, please use git send-email or other email client, the diff above is
heavily corrupted (too many spaces at the beginning of the line, removed
empty lines; I managed to fix it up this time but only because it was a
small patch).
AKASHI Takahiro Sept. 25, 2013, 9:29 a.m. UTC | #3 
Catalin,

Thank you for your comments, and let me send a revised patch again
because my original message didn't reach MLs due to my screw-up.

BTW, I will submit a patch of ftrace support on arm64 once gcc supports
gprof (-pg) options.

-Takahiro AKASHI

On 09/24/2013 11:25 PM, Catalin Marinas wrote:
> On Tue, Sep 24, 2013 at 10:00:50AM +0100, AKASHI Takahiro wrote:
>> get_user() is defined as a function macro in arm64, and trace_get_user()
>> calls it as followed:
>>       get_user(ch, ptr++);
>> Since the second parameter occurs twice in the definition, 'ptr++' is
>> unexpectedly evaluated twice and trace_get_user() will generate a bogus
>> string from user-provided one. As a result, some ftrace sysfs operations,
>> like "echo FUNCNAME > set_ftrace_filter," hit this case and eventually fail.
>> This patch fixes the issue both in get_user() and put_user().
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>    arch/arm64/include/asm/uaccess.h |   12 ++++++++----
>>    1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
>> index edb3d5c..bbeab83 100644
>> --- a/arch/arm64/include/asm/uaccess.h
>> +++ b/arch/arm64/include/asm/uaccess.h
>> @@ -166,9 +166,11 @@ do {									\
>>     #define get_user(x, ptr)						\
>>    ({									\
>> +	__typeof__(*(ptr)) *optr = (ptr);				\
>> +									\
>>    	might_fault();							\
>> -	access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) ?			\
>> -		__get_user((x), (ptr)) :				\
>> +	access_ok(VERIFY_READ, optr, sizeof(*optr)) ?			\
>> +		__get_user((x), optr) :					\
>>    		((x) = 0, -EFAULT);					\
>>    })
>>    @@ -227,9 +229,11 @@ do {									\
>>     #define put_user(x, ptr)						\
>>    ({									\
>> +	__typeof__(*(ptr)) *optr = (ptr);				\
>> +									\
>>    	might_fault();							\
>> -	access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ?		\
>> -		__put_user((x), (ptr)) :				\
>> +	access_ok(VERIFY_WRITE, optr, sizeof(*optr)) ?			\
>> +		__put_user((x), optr) :					\
>>    		-EFAULT;						\
>>    })
>>    -- 1.7.9.5
>
> BTW, please use git send-email or other email client, the diff above is
> heavily corrupted (too many spaces at the beginning of the line, removed
> empty lines; I managed to fix it up this time but only because it was a
> small patch).
>
Catalin Marinas Sept. 25, 2013, 1:21 p.m. UTC | #4 
On Wed, Sep 25, 2013 at 10:29:52AM +0100, AKASHI Takahiro wrote:
> Thank you for your comments, and let me send a revised patch again
> because my original message didn't reach MLs due to my screw-up.

You can send it if you want but I already merged it in my tree (should
appear in -next this week as well).
diff mbox

Patch

diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index edb3d5c..bbeab83 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -166,9 +166,11 @@  do {									\
   #define get_user(x, ptr)						\
  ({									\
+	__typeof__(*(ptr)) *optr = (ptr);				\
+									\
  	might_fault();							\
-	access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) ?			\
-		__get_user((x), (ptr)) :				\
+	access_ok(VERIFY_READ, optr, sizeof(*optr)) ?			\
+		__get_user((x), optr) :					\
  		((x) = 0, -EFAULT);					\
  })
  @@ -227,9 +229,11 @@ do {									\
   #define put_user(x, ptr)						\