From nobody Mon Apr 29 14:32:55 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E2B9C4321E for ; Mon, 5 Dec 2022 03:41:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231396AbiLEDli (ORCPT ); Sun, 4 Dec 2022 22:41:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231357AbiLEDl0 (ORCPT ); Sun, 4 Dec 2022 22:41:26 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F210DF1B for ; Sun, 4 Dec 2022 19:41:25 -0800 (PST) Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4NQTpW2XpjzRpl3; Mon, 5 Dec 2022 11:40:35 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 5 Dec 2022 11:41:22 +0800 From: Wupeng Ma To: CC: , , , , , Subject: [PATCH 1/4] mm/mlock: return EINVAL for illegal user memory range in mlock Date: Mon, 5 Dec 2022 11:41:05 +0800 Message-ID: <20221205034108.3365182-2-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221205034108.3365182-1-mawupeng1@huawei.com> References: <20221205034108.3365182-1-mawupeng1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ma Wupeng While testing mlock, we have a problem if the len of mlock is ULONG_MAX. The return value of mlock is zero. But nothing will be locked since the len in do_mlock overflows to zero due to the following code in mlock: len =3D PAGE_ALIGN(len + (offset_in_page(start))); The same problem happens in munlock. Since TASK_SIZE is the maximum user space address. The start or len of mlock shouldn't be bigger than this. Function access_ok can be used to check this issue, so return -EINVAL if bigger. Signed-off-by: Ma Wupeng --- mm/mlock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mm/mlock.c b/mm/mlock.c index 7032f6dd0ce1..b9422a62a4cf 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -575,6 +575,9 @@ static __must_check int do_mlock(unsigned long start, s= ize_t len, vm_flags_t fla if (!can_do_mlock()) return -EPERM; =20 + if (unlikely(!access_ok((void __user *)start, len))) + return -EINVAL; + len =3D PAGE_ALIGN(len + (offset_in_page(start))); start &=3D PAGE_MASK; =20 @@ -635,6 +638,9 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, = len) =20 start =3D untagged_addr(start); =20 + if (unlikely(!access_ok((void __user *)start, len))) + return -EINVAL; + len =3D PAGE_ALIGN(len + (offset_in_page(start))); start &=3D PAGE_MASK; =20 --=20 2.25.1 From nobody Mon Apr 29 14:32:55 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1CF9C47089 for ; Mon, 5 Dec 2022 03:41:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231347AbiLEDle (ORCPT ); Sun, 4 Dec 2022 22:41:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231182AbiLEDl0 (ORCPT ); Sun, 4 Dec 2022 22:41:26 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB41FDED0 for ; Sun, 4 Dec 2022 19:41:24 -0800 (PST) Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.56]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NQTkg3JbbzqStg; Mon, 5 Dec 2022 11:37:15 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 5 Dec 2022 11:41:22 +0800 From: Wupeng Ma To: CC: , , , , , Subject: [PATCH 2/4] mm/mempolicy: return EINVAL for illegal user memory range for set_mempolicy_home_node Date: Mon, 5 Dec 2022 11:41:06 +0800 Message-ID: <20221205034108.3365182-3-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221205034108.3365182-1-mawupeng1@huawei.com> References: <20221205034108.3365182-1-mawupeng1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ma Wupeng Add access_ok to check user memory range and return EINVAL if overflows. Signed-off-by: Ma Wupeng --- mm/mempolicy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 61aa9aedb728..e3a2c465fe8a 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -1499,6 +1499,10 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned lo= ng, start, unsigned long, le start =3D untagged_addr(start); if (start & ~PAGE_MASK) return -EINVAL; + + if (unlikely(!access_ok((void __user *)start, len))) + return -EINVAL; + /* * flags is used for future extension if any. */ --=20 2.25.1 From nobody Mon Apr 29 14:32:55 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 089F4C4708E for ; Mon, 5 Dec 2022 03:41:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231361AbiLEDl3 (ORCPT ); Sun, 4 Dec 2022 22:41:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231355AbiLEDl0 (ORCPT ); Sun, 4 Dec 2022 22:41:26 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43CA8DED1 for ; Sun, 4 Dec 2022 19:41:25 -0800 (PST) Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.53]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NQTpX55rrzmVdp; Mon, 5 Dec 2022 11:40:36 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 5 Dec 2022 11:41:23 +0800 From: Wupeng Ma To: CC: , , , , , Subject: [PATCH 3/4] mm/mempolicy: return EINVAL for illegal user memory range for mbind Date: Mon, 5 Dec 2022 11:41:07 +0800 Message-ID: <20221205034108.3365182-4-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221205034108.3365182-1-mawupeng1@huawei.com> References: <20221205034108.3365182-1-mawupeng1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ma Wupeng Add access_ok to check user memory range and return EINVAL if overflows for mbind. Signed-off-by: Ma Wupeng --- mm/mempolicy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index e3a2c465fe8a..a6bddf454953 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -1272,6 +1272,9 @@ static long do_mbind(unsigned long start, unsigned lo= ng len, if (start & ~PAGE_MASK) return -EINVAL; =20 + if (unlikely(!access_ok((void __user *)start, len))) + return -EINVAL; + if (mode =3D=3D MPOL_DEFAULT) flags &=3D ~MPOL_MF_STRICT; =20 --=20 2.25.1 From nobody Mon Apr 29 14:32:55 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7499C4321E for ; Mon, 5 Dec 2022 03:41:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231391AbiLEDlg (ORCPT ); Sun, 4 Dec 2022 22:41:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231356AbiLEDl0 (ORCPT ); Sun, 4 Dec 2022 22:41:26 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95590DF69 for ; Sun, 4 Dec 2022 19:41:25 -0800 (PST) Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.53]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NQTkh2Tz1zqStr; Mon, 5 Dec 2022 11:37:16 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 5 Dec 2022 11:41:23 +0800 From: Wupeng Ma To: CC: , , , , , Subject: [PATCH 4/4] mm/msync: return EINVAL for illegal user memory range for msync Date: Mon, 5 Dec 2022 11:41:08 +0800 Message-ID: <20221205034108.3365182-5-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221205034108.3365182-1-mawupeng1@huawei.com> References: <20221205034108.3365182-1-mawupeng1@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Ma Wupeng Add access_ok to check user memory range and return EINVAL if overflows for msync. Signed-off-by: Ma Wupeng --- mm/msync.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/msync.c b/mm/msync.c index ac4c9bfea2e7..a87c3dca473a 100644 --- a/mm/msync.c +++ b/mm/msync.c @@ -43,6 +43,8 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len,= int, flags) goto out; if (offset_in_page(start)) goto out; + if (unlikely(!access_ok((void __user *)start, len))) + goto out; if ((flags & MS_ASYNC) && (flags & MS_SYNC)) goto out; error =3D -ENOMEM; --=20 2.25.1