Diff - f45655f6a65538237359abce55edab9cfcc6d82f^! - android_kernel_oneplus_msm8996

commit	f45655f6a65538237359abce55edab9cfcc6d82f	[log] [tgz]
author	Heiko Carstens <heiko.carstens@de.ibm.com>	Thu Feb 21 13:30:42 2013 +0100
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	Thu Feb 28 09:37:08 2013 +0100
tree	bf392ffe658ae512ed992ff24a3b6f5a32c092f7
parent	d7b788cd06a3080ebf0b2f5f2e008d4fda2b336e [diff] [blame]

s390/uaccess: fix strncpy_from_user/strnlen_user zero maxlen case

If the maximum length specified for the to be accessed string for
strncpy_from_user() and strnlen_user() is zero the following incorrect
values would be returned or incorrect memory accesses would happen:

strnlen_user_std() and strnlen_user_pt() incorrectly return "1"
strncpy_from_user_pt() would incorrectly access "dst[maxlen - 1]"
strncpy_from_user_mvcos() would incorrectly return "-EFAULT"

Fix all these oddities by adding early checks.

Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

diff --git a/arch/s390/lib/uaccess_mvcos.c b/arch/s390/lib/uaccess_mvcos.c
index 7f3eb3d..1829742 100644
--- a/arch/s390/lib/uaccess_mvcos.c
+++ b/arch/s390/lib/uaccess_mvcos.c

@@ -184,6 +184,8 @@
 {
 	size_t done, len, offset, len_str;
 
+	if (unlikely(!count))
+		return 0;
 	done = 0;
 	do {
 		offset = (size_t)src & ~PAGE_MASK;