Author: wma Date: Thu Mar 24 13:28:33 2016 New Revision: 297235 URL: https://svnweb.freebsd.org/changeset/base/297235
Log: arm64: Fixing user space boudary checking in copyinout.S Big buffer size could cause integer overflow and as a result attempt to copy beyond VM_USERMAX_ADDRESS. Fixing copyinstr boundary checking where compared value has been overwritten by accident when setting fault handler. Submitted by: Dominik Ermel <d...@semihalf.com> Obtained from: Semihalf Sponsored by: Cavium Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D5719 Modified: head/sys/arm64/arm64/copyinout.S Modified: head/sys/arm64/arm64/copyinout.S ============================================================================== --- head/sys/arm64/arm64/copyinout.S Thu Mar 24 11:40:10 2016 (r297234) +++ head/sys/arm64/arm64/copyinout.S Thu Mar 24 13:28:33 2016 (r297235) @@ -52,7 +52,8 @@ END(copyio_fault) */ ENTRY(copyout) cbz x2, 1f - add x3, x1, x2 + adds x3, x1, x2 + b.cs copyio_fault_nopcb ldr x4, =VM_MAXUSER_ADDRESS cmp x3, x4 b.hi copyio_fault_nopcb @@ -71,7 +72,8 @@ END(copyout) */ ENTRY(copyin) cbz x2, 1f - add x3, x0, x2 + adds x3, x0, x2 + b.cs copyio_fault_nopcb ldr x4, =VM_MAXUSER_ADDRESS cmp x3, x4 b.hi copyio_fault_nopcb @@ -92,11 +94,11 @@ ENTRY(copyinstr) mov x5, xzr /* count = 0 */ mov w4, #1 /* If zero return faulure */ cbz x2, 3f /* If len == 0 then skip loop */ - ldr x7, =VM_MAXUSER_ADDRESS adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ + ldr x7, =VM_MAXUSER_ADDRESS 1: cmp x0, x7 b.cs copyio_fault ldrb w4, [x0], #1 /* Load from uaddr */ _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"