1b2441318SGreg Kroah-Hartman // SPDX-License-Identifier: GPL-2.0
2bf3c2d6dSRasmus Villemoes #include <linux/compiler.h>
3bf3c2d6dSRasmus Villemoes #include <linux/export.h>
44d0e9df5SAlbert van der Linde #include <linux/fault-inject-usercopy.h>
51771c6e1SAndrey Ryabinin #include <linux/kasan-checks.h>
6bf90e56eSMark Rutland #include <linux/thread_info.h>
72922585bSDavid S. Miller #include <linux/uaccess.h>
82922585bSDavid S. Miller #include <linux/kernel.h>
92922585bSDavid S. Miller #include <linux/errno.h>
10903f433fSAndrey Konovalov #include <linux/mm.h>
112922585bSDavid S. Miller
122922585bSDavid S. Miller #include <asm/byteorder.h>
1336126f8fSLinus Torvalds #include <asm/word-at-a-time.h>
142922585bSDavid S. Miller
152922585bSDavid S. Miller #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
162922585bSDavid S. Miller #define IS_UNALIGNED(src, dst) 0
172922585bSDavid S. Miller #else
182922585bSDavid S. Miller #define IS_UNALIGNED(src, dst) \
192922585bSDavid S. Miller (((long) dst | (long) src) & (sizeof(long) - 1))
202922585bSDavid S. Miller #endif
212922585bSDavid S. Miller
222922585bSDavid S. Miller /*
232922585bSDavid S. Miller * Do a strncpy, return length of string without final '\0'.
242922585bSDavid S. Miller * 'count' is the user-supplied count (return 'count' if we
252922585bSDavid S. Miller * hit it), 'max' is the address space maximum (and we return
262922585bSDavid S. Miller * -EFAULT if we hit it).
272922585bSDavid S. Miller */
do_strncpy_from_user(char * dst,const char __user * src,unsigned long count,unsigned long max)28226d44acSPeter Zijlstra static __always_inline long do_strncpy_from_user(char *dst, const char __user *src,
2929da93feSPeter Zijlstra unsigned long count, unsigned long max)
302922585bSDavid S. Miller {
3136126f8fSLinus Torvalds const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
3229da93feSPeter Zijlstra unsigned long res = 0;
332922585bSDavid S. Miller
342922585bSDavid S. Miller if (IS_UNALIGNED(src, dst))
352922585bSDavid S. Miller goto byte_at_a_time;
362922585bSDavid S. Miller
372922585bSDavid S. Miller while (max >= sizeof(unsigned long)) {
386fa6d280SDaniel Xu unsigned long c, data, mask;
392922585bSDavid S. Miller
402922585bSDavid S. Miller /* Fall back to byte-at-a-time if we get a page fault */
411bd4403dSLinus Torvalds unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time);
421bd4403dSLinus Torvalds
436fa6d280SDaniel Xu /*
446fa6d280SDaniel Xu * Note that we mask out the bytes following the NUL. This is
456fa6d280SDaniel Xu * important to do because string oblivious code may read past
466fa6d280SDaniel Xu * the NUL. For those routines, we don't want to give them
476fa6d280SDaniel Xu * potentially random bytes after the NUL in `src`.
486fa6d280SDaniel Xu *
496fa6d280SDaniel Xu * One example of such code is BPF map keys. BPF treats map keys
506fa6d280SDaniel Xu * as an opaque set of bytes. Without the post-NUL mask, any BPF
516fa6d280SDaniel Xu * maps keyed by strings returned from strncpy_from_user() may
526fa6d280SDaniel Xu * have multiple entries for semantically identical strings.
536fa6d280SDaniel Xu */
5436126f8fSLinus Torvalds if (has_zero(c, &data, &constants)) {
5536126f8fSLinus Torvalds data = prep_zero_mask(c, data, &constants);
5636126f8fSLinus Torvalds data = create_zero_mask(data);
576fa6d280SDaniel Xu mask = zero_bytemask(data);
586fa6d280SDaniel Xu *(unsigned long *)(dst+res) = c & mask;
5936126f8fSLinus Torvalds return res + find_zero(data);
602922585bSDavid S. Miller }
616fa6d280SDaniel Xu
626fa6d280SDaniel Xu *(unsigned long *)(dst+res) = c;
636fa6d280SDaniel Xu
642922585bSDavid S. Miller res += sizeof(unsigned long);
652922585bSDavid S. Miller max -= sizeof(unsigned long);
662922585bSDavid S. Miller }
672922585bSDavid S. Miller
682922585bSDavid S. Miller byte_at_a_time:
692922585bSDavid S. Miller while (max) {
702922585bSDavid S. Miller char c;
712922585bSDavid S. Miller
721bd4403dSLinus Torvalds unsafe_get_user(c,src+res, efault);
732922585bSDavid S. Miller dst[res] = c;
742922585bSDavid S. Miller if (!c)
752922585bSDavid S. Miller return res;
762922585bSDavid S. Miller res++;
772922585bSDavid S. Miller max--;
782922585bSDavid S. Miller }
792922585bSDavid S. Miller
802922585bSDavid S. Miller /*
812922585bSDavid S. Miller * Uhhuh. We hit 'max'. But was that the user-specified maximum
822922585bSDavid S. Miller * too? If so, that's ok - we got as much as the user asked for.
832922585bSDavid S. Miller */
842922585bSDavid S. Miller if (res >= count)
852922585bSDavid S. Miller return res;
862922585bSDavid S. Miller
872922585bSDavid S. Miller /*
882922585bSDavid S. Miller * Nope: we hit the address space limit, and we still had more
892922585bSDavid S. Miller * characters the caller would have wanted. That's an EFAULT.
902922585bSDavid S. Miller */
911bd4403dSLinus Torvalds efault:
922922585bSDavid S. Miller return -EFAULT;
932922585bSDavid S. Miller }
942922585bSDavid S. Miller
952922585bSDavid S. Miller /**
962922585bSDavid S. Miller * strncpy_from_user: - Copy a NUL terminated string from userspace.
972922585bSDavid S. Miller * @dst: Destination address, in kernel space. This buffer must be at
982922585bSDavid S. Miller * least @count bytes long.
992922585bSDavid S. Miller * @src: Source address, in user space.
1002922585bSDavid S. Miller * @count: Maximum number of bytes to copy, including the trailing NUL.
1012922585bSDavid S. Miller *
1022922585bSDavid S. Miller * Copies a NUL-terminated string from userspace to kernel space.
1032922585bSDavid S. Miller *
1042922585bSDavid S. Miller * On success, returns the length of the string (not including the trailing
1052922585bSDavid S. Miller * NUL).
1062922585bSDavid S. Miller *
1072922585bSDavid S. Miller * If access to userspace fails, returns -EFAULT (some data may have been
1082922585bSDavid S. Miller * copied).
1092922585bSDavid S. Miller *
1102922585bSDavid S. Miller * If @count is smaller than the length of the string, copies @count bytes
1112922585bSDavid S. Miller * and returns @count.
1122922585bSDavid S. Miller */
strncpy_from_user(char * dst,const char __user * src,long count)1132922585bSDavid S. Miller long strncpy_from_user(char *dst, const char __user *src, long count)
1142922585bSDavid S. Miller {
1152922585bSDavid S. Miller unsigned long max_addr, src_addr;
1162922585bSDavid S. Miller
11707887358SKP Singh might_fault();
1184d0e9df5SAlbert van der Linde if (should_fail_usercopy())
1194d0e9df5SAlbert van der Linde return -EFAULT;
1202922585bSDavid S. Miller if (unlikely(count <= 0))
1212922585bSDavid S. Miller return 0;
1222922585bSDavid S. Miller
123967747bbSArnd Bergmann max_addr = TASK_SIZE_MAX;
124903f433fSAndrey Konovalov src_addr = (unsigned long)untagged_addr(src);
1252922585bSDavid S. Miller if (likely(src_addr < max_addr)) {
1262922585bSDavid S. Miller unsigned long max = max_addr - src_addr;
1279fd4470fSLinus Torvalds long retval;
1289fd4470fSLinus Torvalds
129ab10ae1cSChristophe Leroy /*
130ab10ae1cSChristophe Leroy * Truncate 'max' to the user-specified limit, so that
131ab10ae1cSChristophe Leroy * we only have one limit we need to check in the loop
132ab10ae1cSChristophe Leroy */
133ab10ae1cSChristophe Leroy if (max > count)
134ab10ae1cSChristophe Leroy max = count;
135ab10ae1cSChristophe Leroy
1361771c6e1SAndrey Ryabinin kasan_check_write(dst, count);
137bf90e56eSMark Rutland check_object_size(dst, count, false);
13841cd7805SChristophe Leroy if (user_read_access_begin(src, max)) {
1399fd4470fSLinus Torvalds retval = do_strncpy_from_user(dst, src, count, max);
14041cd7805SChristophe Leroy user_read_access_end();
1419fd4470fSLinus Torvalds return retval;
1422922585bSDavid S. Miller }
143594cc251SLinus Torvalds }
1442922585bSDavid S. Miller return -EFAULT;
1452922585bSDavid S. Miller }
1462922585bSDavid S. Miller EXPORT_SYMBOL(strncpy_from_user);
147