From: deraadt <deraadt@openbsd.org>
Date: Sat, 15 May 2021 20:14:05 +0000 (+0000)
Subject: In all the copyin family functions, must compare end-address against
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d375faf4f3d255d3a347972b33f95edbae6a326f;p=openbsd

In all the copyin family functions, must compare end-address against
VM_MAXUSER_ADDRESS with bgtu, signed comparison is incorrect.  Now passes
regress/sys/copy
ok drahn kettenis
---

diff --git a/sys/arch/riscv64/riscv64/copy.S b/sys/arch/riscv64/riscv64/copy.S
index 84fa6442ae3..54ab2d2f783 100644
--- a/sys/arch/riscv64/riscv64/copy.S
+++ b/sys/arch/riscv64/riscv64/copy.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: copy.S,v 1.3 2021/05/15 00:04:32 drahn Exp $	*/
+/*	$OpenBSD: copy.S,v 1.4 2021/05/15 20:14:05 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2020 Brian Bamsch <bbamsch@google.com>
@@ -44,7 +44,7 @@ ENTRY(copyin)
 	bltu	a3, a0, .Lcopyiofault_nopcb
 	/* Check that source+len is in userspace. */
 	li	a4, VM_MAXUSER_ADDRESS
-	bgt	a3, a4, .Lcopyiofault_nopcb
+	bgtu	a3, a4, .Lcopyiofault_nopcb
 
 	la	a3, .Lcopyiofault_user
 	SWAP_FAULT_HANDLER(a3, a4, a5)
@@ -92,7 +92,7 @@ ENTRY(copyout)
 	bltu	a3, a1, .Lcopyiofault_nopcb
 	/* Check that source+len is in userspace. */
 	li	a4, VM_MAXUSER_ADDRESS
-	bgt	a3, a4, .Lcopyiofault_nopcb
+	bgtu	a3, a4, .Lcopyiofault_nopcb
 
 	la	a3, .Lcopyiofault_user
 	SWAP_FAULT_HANDLER(a3, a4, a5)
diff --git a/sys/arch/riscv64/riscv64/copystr.S b/sys/arch/riscv64/riscv64/copystr.S
index 7fb7de5f4df..45209bbbe01 100644
--- a/sys/arch/riscv64/riscv64/copystr.S
+++ b/sys/arch/riscv64/riscv64/copystr.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: copystr.S,v 1.2 2021/05/12 01:20:52 jsg Exp $	*/
+/*	$OpenBSD: copystr.S,v 1.3 2021/05/15 20:14:05 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Dale Rahn <drahn@dalerahn.com>
@@ -98,7 +98,7 @@ ENTRY(copyinstr)
 	mv	a5, x0
 
 	li	t1, VM_MAXUSER_ADDRESS
-1:	bgt	a0, t1, .Lcopyiostrfault_user
+1:	bgtu	a0, t1, .Lcopyiostrfault_user
 	lb	t0, 0(a0)
 	addi	a0, a0, 1
 	sb	t0, 0(a1)
@@ -129,7 +129,7 @@ ENTRY(copyoutstr)
 	mv	a5, x0
 
 	li	t1, VM_MAXUSER_ADDRESS
-1:	bgt	a1, t1, .Lcopyiostrfault_user
+1:	bgtu	a1, t1, .Lcopyiostrfault_user
 	lb	t0, 0(a0)
 	addi	a0, a0, 1
 	sb	t0, 0(a1)