strncpy_from_user.c - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
strncpy_from_user.c (4032B)
      1// SPDX-License-Identifier: GPL-2.0
      2#include <linux/compiler.h>
      3#include <linux/export.h>
      4#include <linux/fault-inject-usercopy.h>
      5#include <linux/kasan-checks.h>
      6#include <linux/thread_info.h>
      7#include <linux/uaccess.h>
      8#include <linux/kernel.h>
      9#include <linux/errno.h>
     10#include <linux/mm.h>
     11
     12#include <asm/byteorder.h>
     13#include <asm/word-at-a-time.h>
     14
     15#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
     16#define IS_UNALIGNED(src, dst)	0
     17#else
     18#define IS_UNALIGNED(src, dst)	\
     19	(((long) dst | (long) src) & (sizeof(long) - 1))
     20#endif
     21
     22/*
     23 * Do a strncpy, return length of string without final '\0'.
     24 * 'count' is the user-supplied count (return 'count' if we
     25 * hit it), 'max' is the address space maximum (and we return
     26 * -EFAULT if we hit it).
     27 */
     28static __always_inline long do_strncpy_from_user(char *dst, const char __user *src,
     29					unsigned long count, unsigned long max)
     30{
     31	const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
     32	unsigned long res = 0;
     33
     34	if (IS_UNALIGNED(src, dst))
     35		goto byte_at_a_time;
     36
     37	while (max >= sizeof(unsigned long)) {
     38		unsigned long c, data, mask;
     39
     40		/* Fall back to byte-at-a-time if we get a page fault */
     41		unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time);
     42
     43		/*
     44		 * Note that we mask out the bytes following the NUL. This is
     45		 * important to do because string oblivious code may read past
     46		 * the NUL. For those routines, we don't want to give them
     47		 * potentially random bytes after the NUL in `src`.
     48		 *
     49		 * One example of such code is BPF map keys. BPF treats map keys
     50		 * as an opaque set of bytes. Without the post-NUL mask, any BPF
     51		 * maps keyed by strings returned from strncpy_from_user() may
     52		 * have multiple entries for semantically identical strings.
     53		 */
     54		if (has_zero(c, &data, &constants)) {
     55			data = prep_zero_mask(c, data, &constants);
     56			data = create_zero_mask(data);
     57			mask = zero_bytemask(data);
     58			*(unsigned long *)(dst+res) = c & mask;
     59			return res + find_zero(data);
     60		}
     61
     62		*(unsigned long *)(dst+res) = c;
     63
     64		res += sizeof(unsigned long);
     65		max -= sizeof(unsigned long);
     66	}
     67
     68byte_at_a_time:
     69	while (max) {
     70		char c;
     71
     72		unsafe_get_user(c,src+res, efault);
     73		dst[res] = c;
     74		if (!c)
     75			return res;
     76		res++;
     77		max--;
     78	}
     79
     80	/*
     81	 * Uhhuh. We hit 'max'. But was that the user-specified maximum
     82	 * too? If so, that's ok - we got as much as the user asked for.
     83	 */
     84	if (res >= count)
     85		return res;
     86
     87	/*
     88	 * Nope: we hit the address space limit, and we still had more
     89	 * characters the caller would have wanted. That's an EFAULT.
     90	 */
     91efault:
     92	return -EFAULT;
     93}
     94
     95/**
     96 * strncpy_from_user: - Copy a NUL terminated string from userspace.
     97 * @dst:   Destination address, in kernel space.  This buffer must be at
     98 *         least @count bytes long.
     99 * @src:   Source address, in user space.
    100 * @count: Maximum number of bytes to copy, including the trailing NUL.
    101 *
    102 * Copies a NUL-terminated string from userspace to kernel space.
    103 *
    104 * On success, returns the length of the string (not including the trailing
    105 * NUL).
    106 *
    107 * If access to userspace fails, returns -EFAULT (some data may have been
    108 * copied).
    109 *
    110 * If @count is smaller than the length of the string, copies @count bytes
    111 * and returns @count.
    112 */
    113long strncpy_from_user(char *dst, const char __user *src, long count)
    114{
    115	unsigned long max_addr, src_addr;
    116
    117	might_fault();
    118	if (should_fail_usercopy())
    119		return -EFAULT;
    120	if (unlikely(count <= 0))
    121		return 0;
    122
    123	max_addr = TASK_SIZE_MAX;
    124	src_addr = (unsigned long)untagged_addr(src);
    125	if (likely(src_addr < max_addr)) {
    126		unsigned long max = max_addr - src_addr;
    127		long retval;
    128
    129		/*
    130		 * Truncate 'max' to the user-specified limit, so that
    131		 * we only have one limit we need to check in the loop
    132		 */
    133		if (max > count)
    134			max = count;
    135
    136		kasan_check_write(dst, count);
    137		check_object_size(dst, count, false);
    138		if (user_read_access_begin(src, max)) {
    139			retval = do_strncpy_from_user(dst, src, count, max);
    140			user_read_access_end();
    141			return retval;
    142		}
    143	}
    144	return -EFAULT;
    145}
    146EXPORT_SYMBOL(strncpy_from_user);