LXR linux/lib/strncpy_from

   1// SPDX-License-Identifier: GPL-2.0
   2#include <linux/compiler.h>
   3#include <linux/export.h>
   4#include <linux/kasan-checks.h>
   5#include <linux/thread_info.h>
   6#include <linux/uaccess.h>
   7#include <linux/kernel.h>
   8#include <linux/errno.h>
   9
  10#include <asm/byteorder.h>
  11#include <asm/word-at-a-time.h>
  12
  13#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
  14#define IS_UNALIGNED(src, dst)  0
  15#else
  16#define IS_UNALIGNED(src, dst)  \
  17        (((long) dst | (long) src) & (sizeof(long) - 1))
  18#endif
  19
  20/*
  21 * Do a strncpy, return length of string without final '\0'.
  22 * 'count' is the user-supplied count (return 'count' if we
  23 * hit it), 'max' is the address space maximum (and we return
  24 * -EFAULT if we hit it).
  25 */
  26static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
  27{
  28        const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
  29        long res = 0;
  30
  31        if (IS_UNALIGNED(src, dst))
  32                goto byte_at_a_time;
  33
  34        while (max >= sizeof(unsigned long)) {
  35                unsigned long c, data, mask;
  36
  37                /* Fall back to byte-at-a-time if we get a page fault */
  38                unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time);
  39
  40                /*
  41                 * Note that we mask out the bytes following the NUL. This is
  42                 * important to do because string oblivious code may read past
  43                 * the NUL. For those routines, we don't want to give them
  44                 * potentially random bytes after the NUL in `src`.
  45                 *
  46                 * One example of such code is BPF map keys. BPF treats map keys
  47                 * as an opaque set of bytes. Without the post-NUL mask, any BPF
  48                 * maps keyed by strings returned from strncpy_from_user() may
  49                 * have multiple entries for semantically identical strings.
  50                 */
  51                if (has_zero(c, &data, &constants)) {
  52                        data = prep_zero_mask(c, data, &constants);
  53                        data = create_zero_mask(data);
  54                        mask = zero_bytemask(data);
  55                        *(unsigned long *)(dst+res) = c & mask;
  56                        return res + find_zero(data);
  57                }
  58
  59                *(unsigned long *)(dst+res) = c;
  60
  61                res += sizeof(unsigned long);
  62                max -= sizeof(unsigned long);
  63        }
  64
  65byte_at_a_time:
  66        while (max) {
  67                char c;
  68
  69                unsafe_get_user(c,src+res, efault);
  70                dst[res] = c;
  71                if (!c)
  72                        return res;
  73                res++;
  74                max--;
  75        }
  76
  77        /*
  78         * Uhhuh. We hit 'max'. But was that the user-specified maximum
  79         * too? If so, that's ok - we got as much as the user asked for.
  80         */
  81        if (res >= count)
  82                return res;
  83
  84        /*
  85         * Nope: we hit the address space limit, and we still had more
  86         * characters the caller would have wanted. That's an EFAULT.
  87         */
  88efault:
  89        return -EFAULT;
  90}
  91
  92/**
  93 * strncpy_from_user: - Copy a NUL terminated string from userspace.
  94 * @dst:   Destination address, in kernel space.  This buffer must be at
  95 *         least @count bytes long.
  96 * @src:   Source address, in user space.
  97 * @count: Maximum number of bytes to copy, including the trailing NUL.
  98 *
  99 * Copies a NUL-terminated string from userspace to kernel space.
 100 *
 101 * On success, returns the length of the string (not including the trailing
 102 * NUL).
 103 *
 104 * If access to userspace fails, returns -EFAULT (some data may have been
 105 * copied).
 106 *
 107 * If @count is smaller than the length of the string, copies @count bytes
 108 * and returns @count.
 109 */
 110long strncpy_from_user(char *dst, const char __user *src, long count)
 111{
 112        unsigned long max_addr, src_addr;
 113
 114        if (unlikely(count <= 0))
 115                return 0;
 116
 117        max_addr = user_addr_max();
 118        src_addr = (unsigned long)src;
 119        if (likely(src_addr < max_addr)) {
 120                unsigned long max = max_addr - src_addr;
 121                long retval;
 122
 123                /*
 124                 * Truncate 'max' to the user-specified limit, so that
 125                 * we only have one limit we need to check in the loop
 126                 */
 127                if (max > count)
 128                        max = count;
 129
 130                kasan_check_write(dst, count);
 131                check_object_size(dst, count, false);
 132                if (user_access_begin(src, max)) {
 133                        retval = do_strncpy_from_user(dst, src, count, max);
 134                        user_access_end();
 135                        return retval;
 136                }
 137        }
 138        return -EFAULT;
 139}
 140EXPORT_SYMBOL(strncpy_from_user);
 141