From 2c6308fe54c10075379cb00506d5519e0ced1076 Mon Sep 17 00:00:00 2001 From: Eric Anholt Date: Tue, 8 Nov 2005 09:02:02 +0000 Subject: Correct a LOR on FreeBSD by allocating a temporary buffer and doing a single COPY_FROM_USER into it, rather than VERIFYAREA followed by many COPY_FROM_USER_UNCHECKEDs. --- shared-core/mach64_state.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) (limited to 'shared-core') diff --git a/shared-core/mach64_state.c b/shared-core/mach64_state.c index 45dd55d5..964d4c58 100644 --- a/shared-core/mach64_state.c +++ b/shared-core/mach64_state.c @@ -479,25 +479,29 @@ static int mach64_do_get_frames_queued(drm_mach64_private_t * dev_priv) /* Copy and verify a client submited buffer. * FIXME: Make an assembly optimized version */ -static __inline__ int copy_and_verify_from_user(u32 * to, const u32 * from, +static __inline__ int copy_and_verify_from_user(u32 *to, + const u32 __user *ufrom, unsigned long bytes) { unsigned long n = bytes; /* dwords remaining in buffer */ + u32 *from, *orig_from; - if (DRM_VERIFYAREA_READ(from, n)) { - DRM_ERROR("%s: verify_area\n", __FUNCTION__); + from = drm_alloc(bytes, DRM_MEM_DRIVER); + if (from == NULL) + return ENOMEM; + + if (DRM_COPY_FROM_USER(from, ufrom, bytes)) { + drm_free(from, bytes, DRM_MEM_DRIVER); return DRM_ERR(EFAULT); } + orig_from = from; /* we'll be modifying the "from" ptr, so save it */ n >>= 2; while (n > 1) { u32 data, reg, count; - if (DRM_GET_USER_UNCHECKED(data, from++)) { - DRM_ERROR("%s: get_user\n", __FUNCTION__); - return DRM_ERR(EFAULT); - } + data = *from++; n--; @@ -513,28 +517,25 @@ static __inline__ int copy_and_verify_from_user(u32 * to, const u32 * from, if ((reg >= 0x0190 && reg < 0x01c1) || (reg >= 0x01ca && reg <= 0x01cf)) { *to++ = data; - if (DRM_COPY_FROM_USER_UNCHECKED - (to, from, count << 2)) { - DRM_ERROR("%s: copy_from_user\n", - __FUNCTION__); - return DRM_ERR(EFAULT); - } + memcpy(to, from, count << 2); + from += count; to += count; } else { DRM_ERROR("%s: Got bad command: 0x%04x\n", __FUNCTION__, reg); + drm_free(orig_from, bytes, DRM_MEM_DRIVER); return DRM_ERR(EACCES); } - - from += count; } else { DRM_ERROR ("%s: Got bad command count(=%u) dwords remaining=%lu\n", __FUNCTION__, count, n); + drm_free(orig_from, bytes, DRM_MEM_DRIVER); return DRM_ERR(EINVAL); } } + drm_free(orig_from, bytes, DRM_MEM_DRIVER); if (n == 0) return 0; else { -- cgit v1.2.3