| Message ID | 39d41335-dd4d-48ed-8a7f-402c57d8ea84@stanley.mountain (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() | expand |
On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@linaro.org> wrote: > > The "arg->vec_len" variable is a u64 that comes from the user at the > start of the function. The "arg->vec_len * sizeof(struct page_region))" > multiplication can lead to integer wrapping. Use size_mul() to avoid > that. > > Also the size_add/mul() functions work on unsigned long so for 32bit > systems we need to ensure that "arg->vec_len" fits in an unsigned long. > > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") > Cc: stable@vger.kernel.org > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Acked-by: Andrei Vagin <avagin@google.com> > --- > fs/proc/task_mmu.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > index f57ea9b308bb..38a5a3e9cba2 100644 > --- a/fs/proc/task_mmu.c > +++ b/fs/proc/task_mmu.c > @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg, > return -EFAULT; > if (!arg->vec && arg->vec_len) > return -EINVAL; > + if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX) nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region) Thanks, Andrei
On Fri, Nov 15, 2024 at 10:49:44AM -0800, Andrei Vagin wrote: > On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@linaro.org> wrote: > > > > The "arg->vec_len" variable is a u64 that comes from the user at the > > start of the function. The "arg->vec_len * sizeof(struct page_region))" > > multiplication can lead to integer wrapping. Use size_mul() to avoid > > that. > > > > Also the size_add/mul() functions work on unsigned long so for 32bit > > systems we need to ensure that "arg->vec_len" fits in an unsigned long. > > > > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") > > Cc: stable@vger.kernel.org > > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > > Acked-by: Andrei Vagin <avagin@google.com> > > > --- > > fs/proc/task_mmu.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > > index f57ea9b308bb..38a5a3e9cba2 100644 > > --- a/fs/proc/task_mmu.c > > +++ b/fs/proc/task_mmu.c > > @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg, > > return -EFAULT; > > if (!arg->vec && arg->vec_len) > > return -EINVAL; > > + if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX) > > nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region) I don't like open coding integer overflow checks now that we have size_add(). Historically, we've done a poor job writing them correctly. Probably the right thing is to add the > SIZE_MAX check to size_add/mul(). #define size_add(a, b) ({ \ typeof(a) __a = (a); \ typeof(b) __b = (b); \ unsigned long __res; \ if (__a >= SIZE_MAX || __b >= SIZE_MAX) \ __res = ULONG_MAX; \ else \ __res = __size_add(__a, __b); \ __res; \ }) But I think you'd trigger compiler warnings if a or b were a u32 so probably we'd need to use a _Generic() or something. regards, dan carpenter
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index f57ea9b308bb..38a5a3e9cba2 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg, return -EFAULT; if (!arg->vec && arg->vec_len) return -EINVAL; + if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX) + return -EINVAL; if (arg->vec && !access_ok((void __user *)(long)arg->vec, - arg->vec_len * sizeof(struct page_region))) + size_mul(arg->vec_len, sizeof(struct page_region)))) return -EFAULT; /* Fixup default values */
The "arg->vec_len" variable is a u64 that comes from the user at the start of the function. The "arg->vec_len * sizeof(struct page_region))" multiplication can lead to integer wrapping. Use size_mul() to avoid that. Also the size_add/mul() functions work on unsigned long so for 32bit systems we need to ensure that "arg->vec_len" fits in an unsigned long. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- fs/proc/task_mmu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)