In __access_ok, TASK_SIZE_MAX is used to check if a memory access
is in user address space, but some cases may get omitted in compat
mode.
For example, a 32-bit testcase calling pread64(fd, buf, -1, 1)
and running in x86-64 kernel, the obviously illegal size "-1" will
get ignored by __access_ok. Since from the kernel point of view,
32-bit userspace 0xffffffff is within the limit of 64-bit
TASK_SIZE_MAX.
Replacing the limit TASK_SIZE_MAX with TASK_SIZE in __access_ok
will fix the problem above.
Fixes: 967747bbc084 ("uaccess: remove CONFIG_SET_FS")
Signed-off-by: Chen Jiahao <chenjiahao16@xxxxxxxxxx>
---
include/asm-generic/access_ok.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/asm-generic/access_ok.h b/include/asm-generic/access_ok.h
index 2866ae61b1cd..824a6bf1c32f 100644
--- a/include/asm-generic/access_ok.h
+++ b/include/asm-generic/access_ok.h
@@ -30,7 +30,7 @@
*/
static inline int __access_ok(const void __user *ptr, unsigned long size)
{
- unsigned long limit = TASK_SIZE_MAX;
+ unsigned long limit = TASK_SIZE;
unsigned long addr = (unsigned long)ptr;
if (IS_ENABLED(CONFIG_ALTERNATE_USER_ADDRESS_SPACE) ||
--
2.31.1
