1. Patchew
  2. linux
  3. View series

[PATCH] fs/nilfs2: copy userspace-array safely

Philipp Stanner posted 1 patch 2 years, 1 month ago 
fs/nilfs2/ioctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
[PATCH] fs/nilfs2: copy userspace-array safely
Posted by Philipp Stanner 2 years, 1 month ago 
ioctl.c utilizes memdup_user() to copy a userspace array. This is done
without an overflow-check.

Use the new wrapper memdup_array_user() to copy the array more safely.

Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
Linus recently merged this new wrapper for Kernel v6.7
---
 fs/nilfs2/ioctl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 40ffade49f38..6a9dceebb18d 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
 
 	/*
 	 * argv[4] points to segment numbers this ioctl cleans.  We
-	 * use kmalloc() for its buffer because memory used for the
-	 * segment numbers is enough small.
+	 * use kmalloc() for its buffer because the memory used for the
+	 * segment numbers is small enough.
 	 */
-	kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base,
-			       nsegs * sizeof(__u64));
+	kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base,
+				     nsegs, sizeof(__u64));
 	if (IS_ERR(kbufs[4])) {
 		ret = PTR_ERR(kbufs[4]);
 		goto out;
-- 
2.41.0
Re: [PATCH] fs/nilfs2: copy userspace-array safely
Posted by Ryusuke Konishi 2 years, 1 month ago 
On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote:
>
> ioctl.c utilizes memdup_user() to copy a userspace array. This is done
> without an overflow-check.
>
> Use the new wrapper memdup_array_user() to copy the array more safely.
>
> Suggested-by: Dave Airlie <airlied@redhat.com>
> Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> ---
> Linus recently merged this new wrapper for Kernel v6.7

The following overflow check is performed just before the usage of
memdup_user():

        if (nsegs > UINT_MAX / sizeof(__u64))
                goto out;

This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid
overflowing segment numbers in nilfs_ioctl_clean_segments()") to avoid
overflowing nsegs * sizeof(__u64) in the subsequent call to
memdup_user().

I learned about memdup_array_user() this time, and it seems to check
for overflow when multiplying two size_t arguments (i.e. the number of
elements and size of the array to be copied).

Since size_t is 32-bit or 64-bit depending on the architecture, I
think the overflow check that memdup_array_user() does
is included in the above upper limit check by UINT_MAX.

So, for security reasons, I don't think this change is necessary.  (Am
I missing something?)

In terms of cleanup, I think the clarification this patch brings is
good, but in that case, I'm concerned about the duplication of
overflow checks.

Thanks,
Ryusuke Konishi

> ---
>  fs/nilfs2/ioctl.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index 40ffade49f38..6a9dceebb18d 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
>
>         /*
>          * argv[4] points to segment numbers this ioctl cleans.  We
> -        * use kmalloc() for its buffer because memory used for the
> -        * segment numbers is enough small.
> +        * use kmalloc() for its buffer because the memory used for the
> +        * segment numbers is small enough.
>          */
> -       kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base,
> -                              nsegs * sizeof(__u64));
> +       kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base,
> +                                    nsegs, sizeof(__u64));
>         if (IS_ERR(kbufs[4])) {
>                 ret = PTR_ERR(kbufs[4]);
>                 goto out;
> --
> 2.41.0
>
Re: [PATCH] fs/nilfs2: copy userspace-array safely
Posted by Philipp Stanner 2 years, 1 month ago 
On Sat, 2023-11-04 at 02:44 +0900, Ryusuke Konishi wrote:
> On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote:
> > 
> > ioctl.c utilizes memdup_user() to copy a userspace array. This is
> > done
> > without an overflow-check.
> > 
> > Use the new wrapper memdup_array_user() to copy the array more
> > safely.
> > 
> > Suggested-by: Dave Airlie <airlied@redhat.com>
> > Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> > ---
> > Linus recently merged this new wrapper for Kernel v6.7
> 
> The following overflow check is performed just before the usage of
> memdup_user():
> 
>         if (nsegs > UINT_MAX / sizeof(__u64))
>                 goto out;
> 
> This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid
> overflowing segment numbers in nilfs_ioctl_clean_segments()") to
> avoid
> overflowing nsegs * sizeof(__u64) in the subsequent call to
> memdup_user().
> 
> I learned about memdup_array_user() this time, and it seems to check
> for overflow when multiplying two size_t arguments (i.e. the number
> of
> elements and size of the array to be copied).
> 
> Since size_t is 32-bit or 64-bit depending on the architecture, I
> think the overflow check that memdup_array_user() does
> is included in the above upper limit check by UINT_MAX.
> 
> So, for security reasons, I don't think this change is necessary. 
> (Am
> I missing something?)

No, I think you are right. My commit message was very generic – it's
more about unifying array-duplication.
I should rephrase it.

> 
> In terms of cleanup, I think the clarification this patch brings is
> good, but in that case, I'm concerned about the duplication of
> overflow checks.

Alright, so would you prefer a patch that uses memdup_array_user() and,
consequently, removes the preceding check?

Regards,
P.

> 
> Thanks,
> Ryusuke Konishi
> 
> > ---
> >  fs/nilfs2/ioctl.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> > index 40ffade49f38..6a9dceebb18d 100644
> > --- a/fs/nilfs2/ioctl.c
> > +++ b/fs/nilfs2/ioctl.c
> > @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct
> > inode *inode, struct file *filp,
> > 
> >         /*
> >          * argv[4] points to segment numbers this ioctl cleans.  We
> > -        * use kmalloc() for its buffer because memory used for the
> > -        * segment numbers is enough small.
> > +        * use kmalloc() for its buffer because the memory used for
> > the
> > +        * segment numbers is small enough.
> >          */
> > -       kbufs[4] = memdup_user((void __user *)(unsigned
> > long)argv[4].v_base,
> > -                              nsegs * sizeof(__u64));
> > +       kbufs[4] = memdup_array_user((void __user *)(unsigned
> > long)argv[4].v_base,
> > +                                    nsegs, sizeof(__u64));
> >         if (IS_ERR(kbufs[4])) {
> >                 ret = PTR_ERR(kbufs[4]);
> >                 goto out;
> > --
> > 2.41.0
> > 
>
Re: [PATCH] fs/nilfs2: copy userspace-array safely
Posted by Ryusuke Konishi 2 years, 1 month ago 
On Sat, Nov 4, 2023 at 2:56 AM Philipp Stanner wrote:
>
> On Sat, 2023-11-04 at 02:44 +0900, Ryusuke Konishi wrote:
> > On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote:
> > >
> > > ioctl.c utilizes memdup_user() to copy a userspace array. This is
> > > done
> > > without an overflow-check.
> > >
> > > Use the new wrapper memdup_array_user() to copy the array more
> > > safely.
> > >
> > > Suggested-by: Dave Airlie <airlied@redhat.com>
> > > Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> > > ---
> > > Linus recently merged this new wrapper for Kernel v6.7
> >
> > The following overflow check is performed just before the usage of
> > memdup_user():
> >
> >         if (nsegs > UINT_MAX / sizeof(__u64))
> >                 goto out;
> >
> > This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid
> > overflowing segment numbers in nilfs_ioctl_clean_segments()") to
> > avoid
> > overflowing nsegs * sizeof(__u64) in the subsequent call to
> > memdup_user().
> >
> > I learned about memdup_array_user() this time, and it seems to check
> > for overflow when multiplying two size_t arguments (i.e. the number
> > of
> > elements and size of the array to be copied).
> >
> > Since size_t is 32-bit or 64-bit depending on the architecture, I
> > think the overflow check that memdup_array_user() does
> > is included in the above upper limit check by UINT_MAX.
> >
> > So, for security reasons, I don't think this change is necessary.
> > (Am
> > I missing something?)
>
> No, I think you are right. My commit message was very generic – it's
> more about unifying array-duplication.
> I should rephrase it.
>
> >
> > In terms of cleanup, I think the clarification this patch brings is
> > good, but in that case, I'm concerned about the duplication of
> > overflow checks.
>
> Alright, so would you prefer a patch that uses memdup_array_user() and,
> consequently, removes the preceding check?
>
> Regards,
> P.

Yeah.  If you could revise it as a cleanup patch, I would like to
adopt it for the next cycle.

Regards,
Ryusuke Konishi

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.