mbox series

[v3,0/4] Add overflow checks for several syscalls

Message ID 20230128063229.989058-1-mawupeng1@huawei.com (mailing list archive)
Headers show
Series Add overflow checks for several syscalls | expand

Message

mawupeng Jan. 28, 2023, 6:32 a.m. UTC
From: Ma Wupeng <mawupeng1@huawei.com>

While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
The return value of mlock is zero. But nothing will be locked since the
len in do_mlock overflows to zero due to the following code in mlock:

  len = PAGE_ALIGN(len + (offset_in_page(start)));

The same problem happens in munlock.

Add new check and return -EINVAL to fix this overflowing scenarios since
they are absolutely wrong.

Similar logic is used to fix problems with multiple syscalls.

Changelog since v2[2]:
- modified the way of checking overflows based on Andrew's comments

Changelog since v1[1]:
- only check overflow rather than access_ok to keep backward-compatibility

[1]: https://lore.kernel.org/lkml/20221228141701.c64add46c4b09aa17f605baf@linux-foundation.org/T/
[2]: https://lore.kernel.org/linux-mm/20230116115813.2956935-5-mawupeng1@huawei.com/T/

Ma Wupeng (4):
  mm/mlock: return EINVAL if len overflows for mlock/munlock
  mm/mempolicy: return EINVAL for if len overflows for
    set_mempolicy_home_node
  mm/mempolicy: return EINVAL if len overflows for mbind
  mm/msync: return ENOMEM if len overflows for msync

 mm/mempolicy.c | 18 ++++++++++++------
 mm/mlock.c     | 14 ++++++++++++--
 mm/msync.c     |  9 ++++++---
 3 files changed, 30 insertions(+), 11 deletions(-)

Comments

David Hildenbrand Feb. 3, 2023, 5:10 p.m. UTC | #1
On 28.01.23 07:32, Wupeng Ma wrote:
> From: Ma Wupeng <mawupeng1@huawei.com>
> 
> While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
> The return value of mlock is zero. But nothing will be locked since the
> len in do_mlock overflows to zero due to the following code in mlock:
> 
>    len = PAGE_ALIGN(len + (offset_in_page(start)));
> 
> The same problem happens in munlock.
> 
> Add new check and return -EINVAL to fix this overflowing scenarios since
> they are absolutely wrong.
> 
> Similar logic is used to fix problems with multiple syscalls.
> 
> Changelog since v2[2]:
> - modified the way of checking overflows based on Andrew's comments
> 
> Changelog since v1[1]:
> - only check overflow rather than access_ok to keep backward-compatibility

Do you have some test cases and could we add them to LTP, for example?
mawupeng Feb. 6, 2023, 12:52 a.m. UTC | #2
On 2023/2/4 1:10, David Hildenbrand wrote:
> On 28.01.23 07:32, Wupeng Ma wrote:
>> From: Ma Wupeng <mawupeng1@huawei.com>
>>
>> While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
>> The return value of mlock is zero. But nothing will be locked since the
>> len in do_mlock overflows to zero due to the following code in mlock:
>>
>>    len = PAGE_ALIGN(len + (offset_in_page(start)));
>>
>> The same problem happens in munlock.
>>
>> Add new check and return -EINVAL to fix this overflowing scenarios since
>> they are absolutely wrong.
>>
>> Similar logic is used to fix problems with multiple syscalls.
>>
>> Changelog since v2[2]:
>> - modified the way of checking overflows based on Andrew's comments
>>
>> Changelog since v1[1]:
>> - only check overflow rather than access_ok to keep backward-compatibility
> 
> Do you have some test cases and could we add them to LTP, for example?

The basic idea is setting param len to ULONG_MAX. while will overflow if PAGE_ALIGN(len).

Here are some simple examples:

mlock(addr, ULONG_MAX);
set_mempolicy_home_node(addr, ULONG_MAX, 0, 0);
mbind(addr, ULONG_MAX, MPOL_BIND, &nodemask, max_node, MPOL_MF_MOVE_ALL);
msync(addr, ULONG_MAX, MS_ASYNC);

>