On Tue, Oct 15, 2019 at 07:40:34PM +0100, Al Viro wrote:
> On Tue, Oct 15, 2019 at 09:09:02PM +0300, Pavel V. Panteleev wrote:
> > Hello,
> >
> > copy_mount_options() checks that data doesn't cross TASK_SIZE boundary. It's
> > not correct. Really it should check USER_DS boudary, because some archs have
> > TASK_SIZE not equal to USER_DS. In this case (USER_DS != TASK_SIZE)
> > exact_copy_from_user() will stop on access_ok() check, if data cross
> > USER_DS, but doesn't cross TASK_SIZE.
>
> Details of the call chain, please.
FWIW, what I want to do with copy_mount_options() is this:
void *copy_mount_options(const void __user * data)
{
unsigned offs, size;
char *copy;
if (!data)
return NULL;
copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!copy)
return ERR_PTR(-ENOMEM);
offs = (unsigned long)data & (PAGE_SIZE - 1);
if (copy_from_user(copy, data, PAGE_SIZE - offs)) {
kfree(copy);
return ERR_PTR(-EFAULT);
}
if (offs) {
if (copy_from_user(copy, data + PAGE_SIZE - offs, offs))
memset(copy + PAGE_SIZE - offs, 0, offs);
}
return copy;
}
which should get rid of any TASK_SIZE references whatsoever, but I really
wonder where have you run into the problem.
