mm/maccess.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Access kernel memory without faulting.
   4  */
   5 #include <linux/export.h>
   6 #include <linux/mm.h>
   7 #include <linux/uaccess.h>
   8
   9 static __always_inline long
  10 probe_read_common(void *dst, const void __user *src, size_t size)
  11 {
  12         long ret;
  13
  14         pagefault_disable();
  15         ret = __copy_from_user_inatomic(dst, src, size);
  16         pagefault_enable();
  17
  18         return ret ? -EFAULT : 0;
  19 }
  20
  21 static __always_inline long
  22 probe_write_common(void __user *dst, const void *src, size_t size)
  23 {
  24         long ret;
  25
  26         pagefault_disable();
  27         ret = __copy_to_user_inatomic(dst, src, size);
  28         pagefault_enable();
  29
  30         return ret ? -EFAULT : 0;
  31 }
  32
  33 /**
  34  * probe_kernel_read(): safely attempt to read from a kernel-space location
  35  * @dst: pointer to the buffer that shall take the data
  36  * @src: address to read from
  37  * @size: size of the data chunk
  38  *
  39  * Safely read from address @src to the buffer at @dst.  If a kernel fault
  40  * happens, handle that and return -EFAULT.
  41  *
  42  * We ensure that the copy_from_user is executed in atomic context so that
  43  * do_page_fault() doesn't attempt to take mmap_sem.  This makes
  44  * probe_kernel_read() suitable for use within regions where the caller
  45  * already holds mmap_sem, or other locks which nest inside mmap_sem.
  46  *
  47  * probe_kernel_read_strict() is the same as probe_kernel_read() except for
  48  * the case where architectures have non-overlapping user and kernel address
  49  * ranges: probe_kernel_read_strict() will additionally return -EFAULT for
  50  * probing memory on a user address range where probe_user_read() is supposed
  51  * to be used instead.
  52  */
  53
  54 long __weak probe_kernel_read(void *dst, const void *src, size_t size)
  55     __attribute__((alias("__probe_kernel_read")));
  56
  57 long __weak probe_kernel_read_strict(void *dst, const void *src, size_t size)
  58     __attribute__((alias("__probe_kernel_read")));
  59
  60 long __probe_kernel_read(void *dst, const void *src, size_t size)
  61 {
  62         long ret;
  63         mm_segment_t old_fs = get_fs();
  64
  65         set_fs(KERNEL_DS);
  66         ret = probe_read_common(dst, (__force const void __user *)src, size);
  67         set_fs(old_fs);
  68
  69         return ret;
  70 }
  71 EXPORT_SYMBOL_GPL(probe_kernel_read);
  72
  73 /**
  74  * probe_user_read(): safely attempt to read from a user-space location
  75  * @dst: pointer to the buffer that shall take the data
  76  * @src: address to read from. This must be a user address.
  77  * @size: size of the data chunk
  78  *
  79  * Safely read from user address @src to the buffer at @dst. If a kernel fault
  80  * happens, handle that and return -EFAULT.
  81  */
  82
  83 long __weak probe_user_read(void *dst, const void __user *src, size_t size)
  84     __attribute__((alias("__probe_user_read")));
  85
  86 long __probe_user_read(void *dst, const void __user *src, size_t size)
  87 {
  88         long ret = -EFAULT;
  89         mm_segment_t old_fs = get_fs();
  90
  91         set_fs(USER_DS);
  92         if (access_ok(src, size))
  93                 ret = probe_read_common(dst, src, size);
  94         set_fs(old_fs);
  95
  96         return ret;
  97 }
  98 EXPORT_SYMBOL_GPL(probe_user_read);
  99
 100 /**
 101  * probe_kernel_write(): safely attempt to write to a location
 102  * @dst: address to write to
 103  * @src: pointer to the data that shall be written
 104  * @size: size of the data chunk
 105  *
 106  * Safely write to address @dst from the buffer at @src.  If a kernel fault
 107  * happens, handle that and return -EFAULT.
 108  */
 109
 110 long __weak probe_kernel_write(void *dst, const void *src, size_t size)
 111     __attribute__((alias("__probe_kernel_write")));
 112
 113 long __probe_kernel_write(void *dst, const void *src, size_t size)
 114 {
 115         long ret;
 116         mm_segment_t old_fs = get_fs();
 117
 118         set_fs(KERNEL_DS);
 119         ret = probe_write_common((__force void __user *)dst, src, size);
 120         set_fs(old_fs);
 121
 122         return ret;
 123 }
 124 EXPORT_SYMBOL_GPL(probe_kernel_write);
 125
 126 /**
 127  * probe_user_write(): safely attempt to write to a user-space location
 128  * @dst: address to write to
 129  * @src: pointer to the data that shall be written
 130  * @size: size of the data chunk
 131  *
 132  * Safely write to address @dst from the buffer at @src.  If a kernel fault
 133  * happens, handle that and return -EFAULT.
 134  */
 135
 136 long __weak probe_user_write(void __user *dst, const void *src, size_t size)
 137     __attribute__((alias("__probe_user_write")));
 138
 139 long __probe_user_write(void __user *dst, const void *src, size_t size)
 140 {
 141         long ret = -EFAULT;
 142         mm_segment_t old_fs = get_fs();
 143
 144         set_fs(USER_DS);
 145         if (access_ok(dst, size))
 146                 ret = probe_write_common(dst, src, size);
 147         set_fs(old_fs);
 148
 149         return ret;
 150 }
 151 EXPORT_SYMBOL_GPL(probe_user_write);
 152
 153 /**
 154  * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
 155  * @dst:   Destination address, in kernel space.  This buffer must be at
 156  *         least @count bytes long.
 157  * @unsafe_addr: Unsafe address.
 158  * @count: Maximum number of bytes to copy, including the trailing NUL.
 159  *
 160  * Copies a NUL-terminated string from unsafe address to kernel buffer.
 161  *
 162  * On success, returns the length of the string INCLUDING the trailing NUL.
 163  *
 164  * If access fails, returns -EFAULT (some data may have been copied
 165  * and the trailing NUL added).
 166  *
 167  * If @count is smaller than the length of the string, copies @count-1 bytes,
 168  * sets the last byte of @dst buffer to NUL and returns @count.
 169  *
 170  * strncpy_from_unsafe_strict() is the same as strncpy_from_unsafe() except
 171  * for the case where architectures have non-overlapping user and kernel address
 172  * ranges: strncpy_from_unsafe_strict() will additionally return -EFAULT for
 173  * probing memory on a user address range where strncpy_from_unsafe_user() is
 174  * supposed to be used instead.
 175  */
 176
 177 long __weak strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
 178     __attribute__((alias("__strncpy_from_unsafe")));
 179
 180 long __weak strncpy_from_unsafe_strict(char *dst, const void *unsafe_addr,
 181                                        long count)
 182     __attribute__((alias("__strncpy_from_unsafe")));
 183
 184 long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
 185 {
 186         mm_segment_t old_fs = get_fs();
 187         const void *src = unsafe_addr;
 188         long ret;
 189
 190         if (unlikely(count <= 0))
 191                 return 0;
 192
 193         set_fs(KERNEL_DS);
 194         pagefault_disable();
 195
 196         do {
 197                 ret = __get_user(*dst++, (const char __user __force *)src++);
 198         } while (dst[-1] && ret == 0 && src - unsafe_addr < count);
 199
 200         dst[-1] = '\0';
 201         pagefault_enable();
 202         set_fs(old_fs);
 203
 204         return ret ? -EFAULT : src - unsafe_addr;
 205 }
 206
 207 /**
 208  * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
 209  *                              address.
 210  * @dst:   Destination address, in kernel space.  This buffer must be at
 211  *         least @count bytes long.
 212  * @unsafe_addr: Unsafe user address.
 213  * @count: Maximum number of bytes to copy, including the trailing NUL.
 214  *
 215  * Copies a NUL-terminated string from unsafe user address to kernel buffer.
 216  *
 217  * On success, returns the length of the string INCLUDING the trailing NUL.
 218  *
 219  * If access fails, returns -EFAULT (some data may have been copied
 220  * and the trailing NUL added).
 221  *
 222  * If @count is smaller than the length of the string, copies @count-1 bytes,
 223  * sets the last byte of @dst buffer to NUL and returns @count.
 224  */
 225 long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
 226                               long count)
 227 {
 228         mm_segment_t old_fs = get_fs();
 229         long ret;
 230
 231         if (unlikely(count <= 0))
 232                 return 0;
 233
 234         set_fs(USER_DS);
 235         pagefault_disable();
 236         ret = strncpy_from_user(dst, unsafe_addr, count);
 237         pagefault_enable();
 238         set_fs(old_fs);
 239
 240         if (ret >= count) {
 241                 ret = count;
 242                 dst[ret - 1] = '\0';
 243         } else if (ret > 0) {
 244                 ret++;
 245         }
 246
 247         return ret;
 248 }
 249
 250 /**
 251  * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
 252  * @unsafe_addr: The string to measure.
 253  * @count: Maximum count (including NUL)
 254  *
 255  * Get the size of a NUL-terminated string in user space without pagefault.
 256  *
 257  * Returns the size of the string INCLUDING the terminating NUL.
 258  *
 259  * If the string is too long, returns a number larger than @count. User
 260  * has to check the return value against "> count".
 261  * On exception (or invalid count), returns 0.
 262  *
 263  * Unlike strnlen_user, this can be used from IRQ handler etc. because
 264  * it disables pagefaults.
 265  */
 266 long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
 267 {
 268         mm_segment_t old_fs = get_fs();
 269         int ret;
 270
 271         set_fs(USER_DS);
 272         pagefault_disable();
 273         ret = strnlen_user(unsafe_addr, count);
 274         pagefault_enable();
 275         set_fs(old_fs);
 276
 277         return ret;
 278 }