[2/2] iio:kfifo_buf: check for uint overflow

Message ID	20180326212752.7321-2-mkelly@xevo.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-iio-owner@kernel.org> From: Martin Kelly <mkelly@xevo.com> To: linux-iio@vger.kernel.org Cc: Jonathan Cameron <jic23@kernel.org>, Martin Kelly <mkelly@xevo.com> Subject: [PATCH 2/2] iio:kfifo_buf: check for uint overflow Date: Mon, 26 Mar 2018 14:27:52 -0700 Message-Id: <20180326212752.7321-2-mkelly@xevo.com> In-Reply-To: <20180326212752.7321-1-mkelly@xevo.com> References: <20180326212752.7321-1-mkelly@xevo.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: None (protection.outlook.com: xevo.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MW2PR0102MB3419; 23:tsGDRgxbFK4Ek3JXOLXmBYrfvyy/UpdaI+cDSVb?= =?us-ascii?Q?VaGr3XGYyJOK1b7FJb225NI2NkDTSshEdiPRiEmQAjjeZtmvn1oqeTqD0NzK?= =?us-ascii?Q?656sujN+U/YQsu/j7DNHPiHzw8Jc3gGQjAuCVIgSS+PrOrz9M8s6MTAeMI+b?= =?us-ascii?Q?G5yC98/ctLuPoWNOn1nQGKjSNWl49WTmbOIEsDTDLq1BhvGWWrZ4Z2nOk58G?= =?us-ascii?Q?WBYHnaZDrQ4QxRXP0JzCq1nABJamuUIoJrNuA5mct2w+/WyQvBRN2LOxUBVy?= =?us-ascii?Q?eiWwHZV5f/joh5AABaEMaNV4zILqL+Xc1cTnMMPFB/DbtgCVdlQwV6ixwAA+?= =?us-ascii?Q?UJ5/oWzFNeWcSxi/ebZh4jz2CRS3tEJMLg+2v//uWkK2oH5t+21JdHPXRmvO?= =?us-ascii?Q?6AGZSBg5QkhzMKeSRPKr0FAoIBP+ABU+gb+E/qpbQskHepuvh+adTcGey10v?= =?us-ascii?Q?LjIUNjoWhJ2vhuSvOJpgcbobiKjL/0M/MI72SD1BxJKHDn8jeaLuRdQE3Tad?= =?us-ascii?Q?ZxEsOXNNReYPlOYsz1H9Y4yXOMYjJbWC2QThey67Q2ZuNQkck1zvnhMTdTm7?= =?us-ascii?Q?nAG+QIuVCIks85uriiLKs60WZvpWTZ4Jg4K3Ep8qdWUO9x52okzmpoDjWBuz?= =?us-ascii?Q?wkU1z3J/gnG5La1aLTKN7Evt0yWyDXO9HugTasLJJKFrWfF8YwEYb1mGgOM5?= =?us-ascii?Q?t6GHgKlObDDZpsBfi2PcKCSWkDWO8qgcyVjCd5L+OuOzE86xg/RaTiPxKpZS?= =?us-ascii?Q?foiIF/wQsUWhMM3n3OmdpqDkSxp0w+RqDWAerbr/SezNAUUMk/7C4fI0xrdv?= =?us-ascii?Q?9keNsn8+TjMMLvj2QGEnbolqBNniBqeXkfk1xCugCbiRp46C8WuMqfiW920L?= =?us-ascii?Q?fiJr/B8mUpdvHu8XpAcijDLhrSnM/1KWqn67OIBnGbJScAA4HlHB5ClQVUYp?= =?us-ascii?Q?OgZdCjMJin35FezBRyVrPKofZ/gxnfnNae36OVG/tIonc4NsgXprh9m3AZeW?= =?us-ascii?Q?bU0sY2LnFMS3idQAOIS+YQMdUKGGL2vnDbjL7i/K+k9eCNwlsMHIJ+unwHa7?= =?us-ascii?Q?Idf/tlc829eMMVgJOh4npuWLt0e6fp2FA23aRSWCUGKYGGSVBRw4CrmlrRel?= =?us-ascii?Q?9M05fmKvkzfE4PlTx/2JFI99FaM76T7ELSOOeM/qHpZoDfCiq8VyNa+BsP0h?= =?us-ascii?Q?tT04oCEf4qKL6ERcO205wos6w+2Om5wFCnhLTyzHOCRvbD67gfkT9ce9zOIV?= =?us-ascii?Q?Kv+B3uk0O4Uwtr+Nd/iQA6f2nWEof+9xuV17j6m/X?= X-Microsoft-Antispam-Message-Info: bZUFW+cio81phen1PtbnxqQcpNgYCiAB0hhME6jabvcPME1EhTlclbV03zOc321q0l/pNdli9bC4vXmTK+D3UfrUnVykr8AJq2k6ego6nwCTmr4dRy69+JNWy7rcEglKz4HpXu3q1T9SjVn/EGdrRfuNwXx794ezBah/YFNlofgGvOJZebFeX4qAu17uR6VR X-Microsoft-Exchange-Diagnostics: 1; MW2PR0102MB3419; 6:A23YOptWCbZyeCDTrfFvq70l0Uu5A/fKAajVb5RycklTX5qFtKVCSAQW9OrSjuq8L0YzDjHSaGq9nS6VmP2AeqZj3M0AAw/6Ved//iOquKSznd2Qz+5JyRYApSTOP5geUF24vYnRgnB5my1lY3uXHxhzIMcNBX4ojBctwH2m2Aku89bD/NYJ9m9+gOndZUNo85xGL097mqp4tPRenLF3R2XlIPLoJzacLez8b0SZtngnXcJd2QLW0Egp2izcm4SAn2MecgJCa4dHJFTiOw+o/7O4wOuK4tpEQE8pP/cxKcahS86LNTh7ipl2IMjT+Bis/doAyW+B9aia7WFa8V2BPWQMkBazf99v7e5/66tpo2Gy2tAuT8T8ZSD3V+ekNEtcEMD59pcHhRPoBX3VXuxjExfc0rBVe3u300TqGYvFKRJDbguUeRIdC7NWYN50dUTDyhfOxHOpz5jEb4xFYhUj7A==; 5:QhiwGOr9LFpM/yRYLRtOnd+99iUd7yopwtbDP5fhIqmImWwBn7x/hA+7Zm8A5BnuSh6AyZRnDiXgQomFVam1n/y3NK2CKCeRa0AjxxjRcqxjXDYXcdDuijiYJtZeInl2cQ6VaHmUM5aXMQuscryKXhuiqE1TIXaORtOG0xgLZSk=; 24:M3bINzX15n4y1heMX5cu4XyTU6bk0gdXlEhRZEMhBXJrXEMCHiO0v/dEYhlB4+loDjLbsCSgQzeFJsWZQX4shYoSsBdfGvpi8XOL/veeUqM= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; MW2PR0102MB3419; 7:IXgHsAMZ3964UR5apm2vNGt5I0Y5Nc31OgQH6HGAJL11yDjZOlMsSu5x54INB1A3bH6oyxRsCATL+7OI1/DzG+aeg7Ww06vnlF8iv0erPFUHAlcjv4rcTIEuBV5QvlEvu9TLi0K2Bb4XKHBMioKqCu25UjF2ZcU5CNeElwMu9JzxroPI87F1Mw8dn9Zxd9ZBJbIGHToTSwwJJ+VKx5cq9dx53CEq1M/h6YzdNXExz/YTcpEljIkGuXN4BHjgMbKs Sender: linux-iio-owner@vger.kernel.org Precedence: bulk

Message ID

20180326212752.7321-2-mkelly@xevo.com (mailing list archive)

State

New, archived

Headers

From: Martin Kelly <mkelly@xevo.com>
To: linux-iio@vger.kernel.org
Cc: Jonathan Cameron <jic23@kernel.org>, Martin Kelly <mkelly@xevo.com>
Subject: [PATCH 2/2] iio:kfifo_buf: check for uint overflow
Date: Mon, 26 Mar 2018 14:27:52 -0700
Message-Id: <20180326212752.7321-2-mkelly@xevo.com>
In-Reply-To: <20180326212752.7321-1-mkelly@xevo.com>
References: <20180326212752.7321-1-mkelly@xevo.com>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: None (protection.outlook.com: xevo.com does not designate
	permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Mar 2018 21:29:11.9185
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a3484063-cc25-4be2-baa8-08d593609e1d
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: e0a7ca1f-2458-4cd6-a7c7-d733c07495ab
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR0102MB3419
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Martin Kelly March 26, 2018, 9:27 p.m. UTC

Currently, the following causes a kernel OOPS in memcpy:

echo 1073741825 > buffer/length
echo 1 > buffer/enable

Note that using 1073741824 instead of 1073741825 causes "write error:
Cannot allocate memory" but no OOPS.

This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo
rounds up to the nearest power of 2, it will actually call kmalloc with
roundup_pow_of_two(length) * bytes_per_datum.

Using length == 1073741825 and bytes_per_datum == 2, we get:

kmalloc(roundup_pow_of_two(1073741825) * 2
or kmalloc(2147483648 * 2)
or kmalloc(4294967296)
or kmalloc(UINT_MAX + 1)

so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and
subsequent memcpy to fail once the device is enabled.

Fix this by checking for overflow prior to allocating a kfifo. With this
check added, the above code returns -EINVAL when enabling the buffer,
rather than causing an OOPS.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
---
 drivers/iio/buffer/kfifo_buf.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Jonathan Cameron March 30, 2018, 10:20 a.m. UTC | #1

On Mon, 26 Mar 2018 14:27:52 -0700
Martin Kelly <mkelly@xevo.com> wrote:

> Currently, the following causes a kernel OOPS in memcpy:
> 
> echo 1073741825 > buffer/length
> echo 1 > buffer/enable
> 
> Note that using 1073741824 instead of 1073741825 causes "write error:
> Cannot allocate memory" but no OOPS.
> 
> This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo
> rounds up to the nearest power of 2, it will actually call kmalloc with
> roundup_pow_of_two(length) * bytes_per_datum.
> 
> Using length == 1073741825 and bytes_per_datum == 2, we get:
> 
> kmalloc(roundup_pow_of_two(1073741825) * 2
> or kmalloc(2147483648 * 2)
> or kmalloc(4294967296)
> or kmalloc(UINT_MAX + 1)
> 
> so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and
> subsequent memcpy to fail once the device is enabled.
> 
> Fix this by checking for overflow prior to allocating a kfifo. With this
> check added, the above code returns -EINVAL when enabling the buffer,
> rather than causing an OOPS.
> 
> Signed-off-by: Martin Kelly <mkelly@xevo.com>
Applied to the fixes-togreg branch of iio.git and marked for stable.

I thought about this for a few mins.  A 4 gig allocation on a 32bit
machine is going to fail anyway for obvious reasons, but good
to protect against overflow if someone were to write this value.

Particularly good description btw!

Thanks,

Jonathan


> ---
>  drivers/iio/buffer/kfifo_buf.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c
> index ac622edf2486..70c302a93d7f 100644
> --- a/drivers/iio/buffer/kfifo_buf.c
> +++ b/drivers/iio/buffer/kfifo_buf.c
> @@ -27,6 +27,13 @@ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
>  	if ((length == 0) || (bytes_per_datum == 0))
>  		return -EINVAL;
>  
> +	/*
> +	 * Make sure we don't overflow an unsigned int after kfifo rounds up to
> +	 * the next power of 2.
> +	 */
> +	if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum)
> +		return -EINVAL;
> +
>  	return __kfifo_alloc((struct __kfifo *)&buf->kf, length,
>  			     bytes_per_datum, GFP_KERNEL);
>  }

--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Martin Kelly April 2, 2018, 4:53 p.m. UTC | #2

On 03/30/2018 03:20 AM, Jonathan Cameron wrote:
> On Mon, 26 Mar 2018 14:27:52 -0700
> Martin Kelly <mkelly@xevo.com> wrote:
> 
>> Currently, the following causes a kernel OOPS in memcpy:
>>
>> echo 1073741825 > buffer/length
>> echo 1 > buffer/enable
>>
>> Note that using 1073741824 instead of 1073741825 causes "write error:
>> Cannot allocate memory" but no OOPS.
>>
>> This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo
>> rounds up to the nearest power of 2, it will actually call kmalloc with
>> roundup_pow_of_two(length) * bytes_per_datum.
>>
>> Using length == 1073741825 and bytes_per_datum == 2, we get:
>>
>> kmalloc(roundup_pow_of_two(1073741825) * 2
>> or kmalloc(2147483648 * 2)
>> or kmalloc(4294967296)
>> or kmalloc(UINT_MAX + 1)
>>
>> so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and
>> subsequent memcpy to fail once the device is enabled.
>>
>> Fix this by checking for overflow prior to allocating a kfifo. With this
>> check added, the above code returns -EINVAL when enabling the buffer,
>> rather than causing an OOPS.
>>
>> Signed-off-by: Martin Kelly <mkelly@xevo.com>
> Applied to the fixes-togreg branch of iio.git and marked for stable.
> 
> I thought about this for a few mins.  A 4 gig allocation on a 32bit
> machine is going to fail anyway for obvious reasons, but good
> to protect against overflow if someone were to write this value.
> 

Yep, I found this by accident when my userspace had a bug, and then I 
just got curious about what was happening. Such clean, isolated bugs 
like this are rare and fun to find :).

> Particularly good description btw!
> 
> Thanks,
> 
> Jonathan
> 
> 
>> ---
>>   drivers/iio/buffer/kfifo_buf.c | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c
>> index ac622edf2486..70c302a93d7f 100644
>> --- a/drivers/iio/buffer/kfifo_buf.c
>> +++ b/drivers/iio/buffer/kfifo_buf.c
>> @@ -27,6 +27,13 @@ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
>>   	if ((length == 0) || (bytes_per_datum == 0))
>>   		return -EINVAL;
>>   
>> +	/*
>> +	 * Make sure we don't overflow an unsigned int after kfifo rounds up to
>> +	 * the next power of 2.
>> +	 */
>> +	if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum)
>> +		return -EINVAL;
>> +
>>   	return __kfifo_alloc((struct __kfifo *)&buf->kf, length,
>>   			     bytes_per_datum, GFP_KERNEL);
>>   }
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c
index ac622edf2486..70c302a93d7f 100644
--- a/drivers/iio/buffer/kfifo_buf.c
+++ b/drivers/iio/buffer/kfifo_buf.c
@@ -27,6 +27,13 @@  static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
 	if ((length == 0) || (bytes_per_datum == 0))
 		return -EINVAL;
 
+	/*
+	 * Make sure we don't overflow an unsigned int after kfifo rounds up to
+	 * the next power of 2.
+	 */
+	if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum)
+		return -EINVAL;
+
 	return __kfifo_alloc((struct __kfifo *)&buf->kf, length,
 			     bytes_per_datum, GFP_KERNEL);
 }

[2/2] iio:kfifo_buf: check for uint overflow

Commit Message

Comments

Patch