sh: missing checks of __get_user()/__put_user() return values
authorAl Viro <viro@zeniv.linux.org.uk>
Sun, 22 Apr 2012 20:59:56 +0000 (16:59 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Tue, 22 May 2012 03:59:21 +0000 (23:59 -0400)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
arch/sh/kernel/signal_32.c
arch/sh/kernel/signal_64.c

index 04d776f..cb4172c 100644 (file)
@@ -71,10 +71,10 @@ sys_sigaction(int sig, const struct old_sigaction __user *act,
                old_sigset_t mask;
                if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
                    __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
-                   __get_user(new_ka.sa.sa_restorer, &act->sa_restorer))
+                   __get_user(new_ka.sa.sa_restorer, &act->sa_restorer) ||
+                   __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
+                   __get_user(mask, &act->sa_mask))
                        return -EFAULT;
-               __get_user(new_ka.sa.sa_flags, &act->sa_flags);
-               __get_user(mask, &act->sa_mask);
                siginitset(&new_ka.sa.sa_mask, mask);
        }
 
@@ -83,10 +83,10 @@ sys_sigaction(int sig, const struct old_sigaction __user *act,
        if (!ret && oact) {
                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
                    __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
-                   __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer))
+                   __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) ||
+                   __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
+                   __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
                        return -EFAULT;
-               __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
-               __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask);
        }
 
        return ret;
@@ -150,12 +150,11 @@ static inline int save_sigcontext_fpu(struct sigcontext __user *sc,
        if (!(boot_cpu_data.flags & CPU_HAS_FPU))
                return 0;
 
-       if (!used_math()) {
-               __put_user(0, &sc->sc_ownedfp);
-               return 0;
-       }
+       if (!used_math())
+               return __put_user(0, &sc->sc_ownedfp);
 
-       __put_user(1, &sc->sc_ownedfp);
+       if (__put_user(1, &sc->sc_ownedfp))
+               return -EFAULT;
 
        /* This will cause a "finit" to be triggered by the next
           attempted FPU operation by the 'current' process.
@@ -195,7 +194,7 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p
                regs->sr |= SR_FD; /* Release FPU */
                clear_fpu(tsk, regs);
                clear_used_math();
-               __get_user (owned_fp, &sc->sc_ownedfp);
+               err |= __get_user (owned_fp, &sc->sc_ownedfp);
                if (owned_fp)
                        err |= restore_sigcontext_fpu(sc);
        }
@@ -386,11 +385,14 @@ static int setup_frame(int sig, struct k_sigaction *ka,
                struct fdpic_func_descriptor __user *funcptr =
                        (struct fdpic_func_descriptor __user *)ka->sa.sa_handler;
 
-               __get_user(regs->pc, &funcptr->text);
-               __get_user(regs->regs[12], &funcptr->GOT);
+               err |= __get_user(regs->pc, &funcptr->text);
+               err |= __get_user(regs->regs[12], &funcptr->GOT);
        } else
                regs->pc = (unsigned long)ka->sa.sa_handler;
 
+       if (err)
+               goto give_sigsegv;
+
        set_fs(USER_DS);
 
        pr_debug("SIG deliver (%s:%d): sp=%p pc=%08lx pr=%08lx\n",
@@ -470,11 +472,14 @@ static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
                struct fdpic_func_descriptor __user *funcptr =
                        (struct fdpic_func_descriptor __user *)ka->sa.sa_handler;
 
-               __get_user(regs->pc, &funcptr->text);
-               __get_user(regs->regs[12], &funcptr->GOT);
+               err |= __get_user(regs->pc, &funcptr->text);
+               err |= __get_user(regs->regs[12], &funcptr->GOT);
        } else
                regs->pc = (unsigned long)ka->sa.sa_handler;
 
+       if (err)
+               goto give_sigsegv;
+
        set_fs(USER_DS);
 
        pr_debug("SIG deliver (%s:%d): sp=%p pc=%08lx pr=%08lx\n",
index 8f6ed23..b589a35 100644 (file)
@@ -173,10 +173,10 @@ sys_sigaction(int sig, const struct old_sigaction __user *act,
                old_sigset_t mask;
                if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
                    __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
-                   __get_user(new_ka.sa.sa_restorer, &act->sa_restorer))
+                   __get_user(new_ka.sa.sa_restorer, &act->sa_restorer) ||
+                   __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
+                   __get_user(mask, &act->sa_mask))
                        return -EFAULT;
-               __get_user(new_ka.sa.sa_flags, &act->sa_flags);
-               __get_user(mask, &act->sa_mask);
                siginitset(&new_ka.sa.sa_mask, mask);
        }
 
@@ -185,10 +185,10 @@ sys_sigaction(int sig, const struct old_sigaction __user *act,
        if (!ret && oact) {
                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
                    __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
-                   __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer))
+                   __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) ||
+                   __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
+                   __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
                        return -EFAULT;
-               __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
-               __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask);
        }
 
        return ret;