copyout(9), copyinstr(9) and copyoutstr(9) should bail out

properly if they are called with a length of 0.

Found by our regression tests
Debugged with deraadt@
ok kettenis@

1 files changed, 9 insertions, 3 deletions

diff --git a/sys/arch/arm64/arm64/copystr.S b/sys/arch/arm64/arm64/copystr.S
index 73e96bd30c9..13935f722ca 100644
--- a/sys/arch/arm64/arm64/copystr.S
+++ b/sys/arch/arm64/arm64/copystr.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: copystr.S,v 1.6 2020/01/11 16:41:30 deraadt Exp $ */
+/* $OpenBSD: copystr.S,v 1.7 2020/10/20 23:21:41 patrick Exp $ */
 /*
  * Copyright (c) 2015 Dale Rahn <drahn@dalerahn.com>
  * Copyright (c) 2014 Patrick Wildt <patrick@blueri.se>
@@ -42,6 +42,7 @@ ENTRY(copystr)
 	str	x7, [x6, #(PCB_ONFAULT)]	// set handler
 
 	mov	x8, xzr
+	cbz	x2, 2f
 
 1:	ldrb	w4, [x0], 1
 	strb	w4, [x1], #1
@@ -50,6 +51,7 @@ ENTRY(copystr)
 	cbz	w4, .Lcopystrsuccess
 	cbnz	x2, 1b
 
+2:
 	mov	x0, #ENAMETOOLONG
 	b	.Lcopystrcleanup
 
@@ -61,9 +63,9 @@ ENTRY(copystr)
 	mov	x0, xzr
 
 .Lcopystrcleanup:
-	cbz	x3, 2f
+	cbz	x3, 3f
 	str	x8, [x3]
-2:
+3:
 	str	x5, [x6, #(PCB_ONFAULT)]
 	RETGUARD_CHECK(copystr, x15)
 	ret
@@ -85,6 +87,7 @@ ENTRY(copyinstr)
 	str	x7, [x6, #(PCB_ONFAULT)]	// set handler
 
 	mov	x8, xzr
+	cbz	x2, 2f
 
 1:	tst	x0, #(1ULL << 63)
 	b.ne	.Lcopystrfault
@@ -96,6 +99,7 @@ ENTRY(copyinstr)
 	cbz	w4, .Lcopystrsuccess
 	cbnz	x2, 1b
 
+2:
 	mov	x0, #ENAMETOOLONG
 	b	.Lcopystrcleanup
 
@@ -116,6 +120,7 @@ ENTRY(copyoutstr)
 	str	x7, [x6, #(PCB_ONFAULT)]	// set handler
 
 	mov	x8, xzr
+	cbz	x2, 2f
 
 1:	tst	x1, #(1ULL << 63)
 	b.ne	.Lcopystrfault
@@ -127,5 +132,6 @@ ENTRY(copyoutstr)
 	cbz	w4, .Lcopystrsuccess
 	cbnz	x2, 1b
 
+2:
 	mov	x0, #ENAMETOOLONG
 	b	.Lcopystrcleanup