| Message ID | 20240129183729.work.991-kees@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | bd8c239c0502e70c92cf9496846bcbec7cd5702f |
| Headers | show |
| Series | iov_iter: Avoid wrap-around instrumentation in copy_compat_iovec_from_user() | expand |
On Mon, 29 Jan 2024 10:37:29 -0800, Kees Cook wrote: > The loop counter "i" in copy_compat_iovec_from_user() is an int, but > because the nr_segs argument is unsigned long, the signed overflow > sanitizer got worried "i" could wrap around. Instead of making "i" an > unsigned long (which may enlarge the type size), switch both nr_segs > and i to u32. There is no truncation with nr_segs since it is never > larger than UIO_MAXIOV anyway. This keeps sanitizer instrumentation[1] > out of a UACCESS path: > > [...] Applied to the vfs.misc branch of the vfs/vfs.git tree. Patches in the vfs.misc branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. It's encouraged to provide Acked-bys and Reviewed-bys even though the patch has now been applied. If possible patch trailers will be updated. Note that commit hashes shown below are subject to change due to rebase, trailer updates or similar. If in doubt, please check the listed branch. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.misc [1/1] iov_iter: Avoid wrap-around instrumentation in copy_compat_iovec_from_user() https://git.kernel.org/vfs/vfs/c/2d5099585c5b
diff --git a/lib/iov_iter.c b/lib/iov_iter.c index e0aa6b440ca5..d797a43dca91 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -1166,11 +1166,12 @@ const void *dup_iter(struct iov_iter *new, struct iov_iter *old, gfp_t flags) EXPORT_SYMBOL(dup_iter); static __noclone int copy_compat_iovec_from_user(struct iovec *iov, - const struct iovec __user *uvec, unsigned long nr_segs) + const struct iovec __user *uvec, u32 nr_segs) { const struct compat_iovec __user *uiov = (const struct compat_iovec __user *)uvec; - int ret = -EFAULT, i; + int ret = -EFAULT; + u32 i; if (!user_access_begin(uiov, nr_segs * sizeof(*uiov))) return -EFAULT;
The loop counter "i" in copy_compat_iovec_from_user() is an int, but because the nr_segs argument is unsigned long, the signed overflow sanitizer got worried "i" could wrap around. Instead of making "i" an unsigned long (which may enlarge the type size), switch both nr_segs and i to u32. There is no truncation with nr_segs since it is never larger than UIO_MAXIOV anyway. This keeps sanitizer instrumentation[1] out of a UACCESS path: vmlinux.o: warning: objtool: copy_compat_iovec_from_user+0xa9: call to __ubsan_handle_add_overflow() with UACCESS enabled Link: https://github.com/KSPP/linux/issues/26 [1] Cc: Christian Brauner <brauner@kernel.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Signed-off-by: Kees Cook <keescook@chromium.org> --- lib/iov_iter.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)