The generic uaccess.h implements get_user() and put_user() as macros. The
current version of these do not properly handle pointers passed in with
post-increment and the like. In the case of put_user(0, ptr++), ptr gets
incremented twice. Once for the call to access_ok() and once in __put_user().
This patch creates a local copy of the pointer so that it is safe to use
post/pre increment/decrement on the pointer arg.
Signed-off-by: Mark Salter <msalter@xxxxxxxxxx>
---
include/asm-generic/uaccess.h | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index 1d0fdf8..5079335 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -162,9 +162,10 @@ static inline __must_check long __copy_to_user(void __user *to,
#define put_user(x, ptr) \
({ \
+ __typeof__(*(ptr)) *__pu_ptr = (ptr); \
might_sleep(); \
- access_ok(VERIFY_WRITE, ptr, sizeof(*ptr)) ? \
- __put_user(x, ptr) : \
+ access_ok(VERIFY_WRITE, __pu_ptr, sizeof(*ptr)) ? \
+ __put_user(x, __pu_ptr) : \
-EFAULT; \
})
@@ -218,9 +219,10 @@ extern int __put_user_bad(void) __attribute__((noreturn));
#define get_user(x, ptr) \
({ \
+ __typeof__(*(ptr)) *__gu_ptr = (ptr); \
might_sleep(); \
- access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
- __get_user(x, ptr) : \
+ access_ok(VERIFY_READ, __gu_ptr, sizeof(*ptr)) ? \
+ __get_user(x, __gu_ptr) : \
-EFAULT; \
})
--
1.6.2.5
--
To unsubscribe from this list: send the line "unsubscribe linux-arch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
