mips64 _access_ok fix

mips64 _access_ok fix

[Atsushi Nemoto]

The mips64 _access_ok macro in 2.4 tree returns 0 if 'addr' + 'size'
== TASK_SIZE.

Also, __ua_size macro returus 0 if 'size' is negative constant.  I
think we must not skip checking negative constant.

Here is a fix.  For 2.6 tree, only _access_ok fix will be needed
(__ua_size is already fixed).

diff -u linux-mips-cvs/include/asm-mips64/uaccess.h linux.new/include/asm-mips64/uaccess.h
--- linux-mips-cvs/include/asm-mips64/uaccess.h	Tue Jul 15 20:21:59 2003
+++ linux.new/include/asm-mips64/uaccess.h	Thu Sep 11 12:29:08 2003
@@ -46,10 +46,10 @@
  *  - OR we are in kernel mode.
  */
 #define __ua_size(size)							\
-	((__builtin_constant_p(size) && (size)) > 0 ? 0 : (size))
+	(__builtin_constant_p(size) && (signed long) (size) > 0 ? 0 : (size))
 
 #define __access_ok(addr, size, mask)					\
-	(((mask) & ((addr) | ((addr) + (size)) | __ua_size(size))) == 0)
+	(((mask) & ((addr) | ((addr) + (size) - 1) | __ua_size(size))) == 0)
 
 #define __access_mask get_fs().seg
 
---
Atsushi Nemoto

Re: mips64 _access_ok fix

[Atsushi Nemoto]

>>>>> On Thu, 11 Sep 2003 12:43:50 +0900 (JST), Atsushi Nemoto <anemo@mba.ocn.ne.jp> said:
anemo> The mips64 _access_ok macro in 2.4 tree returns 0 if 'addr' +
anemo> 'size' == TASK_SIZE.

anemo> Also, __ua_size macro returus 0 if 'size' is negative constant.
anemo> I think we must not skip checking negative constant.

anemo> Here is a fix.  For 2.6 tree, only _access_ok fix will be
anemo> needed (__ua_size is already fixed).

I know this fix is not complete.  __access_ok(0, 0, __access_mask)
will return 0.

I could not find out good expression (i.e. no conditional branch) to
handle this case.

I suppose nobody do take care of this since addr 0 is invalid pointer
anyway.

---
Atsushi Nemoto

Re: mips64 _access_ok fix

[Ralf Baechle]

On Thu, Sep 11, 2003 at 01:43:23PM +0900, Atsushi Nemoto wrote:

> I know this fix is not complete.  __access_ok(0, 0, __access_mask)
> will return 0.
> 
> I could not find out good expression (i.e. no conditional branch) to
> handle this case.
> 
> I suppose nobody do take care of this since addr 0 is invalid pointer
> anyway.

That behaviour of __access_ok() is actually ok;  __access_ok only needs
to return non-zero only for addresses >= TASK_SIZE.  For two reason
the case you're mentioning is not a problem.  As you say 0 is (usually)
a bad pointer value so if the kernel tries to dereference it, an
TLB exception is going to happen and the exception handling code will
deal with the case.  Second the size argument is zero and after all
that means the kernel won't touch the address range anyway because
hey, it's zero-length!

  Ralf

Re: mips64 _access_ok fix

[Atsushi Nemoto]

>>>>> On Thu, 11 Sep 2003 16:16:29 +0200, Ralf Baechle <ralf@linux-mips.org> said:
>> I know this fix is not complete.  __access_ok(0, 0, __access_mask)
>> will return 0.

ralf> That behaviour of __access_ok() is actually ok;

Then could you apply the patch?  I think the fix is needed for 64bit
native mount syscall (which try to read variable length string
parameters from user stack).
---
Atsushi Nemoto