Merge branch 'merge'

[karo-tx-linux.git] / arch / powerpc / kernel / signal_32.c

diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 237faeec2ec2634302413d9eb4bb39ede02bc564..d73b25e22fca892fd7b2f2dce8db2d94ddc0efda 100644 (file)
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -808,10 +808,13 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int
                if (__get_user(cmcp, &ucp->uc_regs))
                        return -EFAULT;
                mcp = (struct mcontext __user *)(u64)cmcp;
+               /* no need to check access_ok(mcp), since mcp < 4GB */
        }
 #else
        if (__get_user(mcp, &ucp->uc_regs))
                return -EFAULT;
+       if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
+               return -EFAULT;
 #endif
        restore_sigmask(&set);
        if (restore_user_regs(regs, mcp, sig))
@@ -913,13 +916,14 @@ int sys_debug_setcontext(struct ucontext __user *ctx,
 {
        struct sig_dbg_op op;
        int i;
+       unsigned char tmp;
        unsigned long new_msr = regs->msr;
 #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
        unsigned long new_dbcr0 = current->thread.dbcr0;
 #endif
 
        for (i=0; i<ndbg; i++) {
-               if (__copy_from_user(&op, dbg, sizeof(op)))
+               if (copy_from_user(&op, dbg + i, sizeof(op)))
                        return -EFAULT;
                switch (op.dbg_type) {
                case SIG_DBG_SINGLE_STEPPING:
@@ -964,6 +968,11 @@ int sys_debug_setcontext(struct ucontext __user *ctx,
        current->thread.dbcr0 = new_dbcr0;
 #endif
 
+       if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx))
+           || __get_user(tmp, (u8 __user *) ctx)
+           || __get_user(tmp, (u8 __user *) (ctx + 1) - 1))
+               return -EFAULT;
+
        /*
         * If we get a fault copying the context into the kernel's
         * image of the user's registers, we can't just return -EFAULT