1. Patchew
  2. linux
  3. View series

[PATCH] fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()

Dan Carpenter posted 1 patch 1 week, 1 day ago 
fs/proc/task_mmu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
[PATCH] fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()
Posted by Dan Carpenter 1 week, 1 day ago 
The "arg->vec_len" variable is a u64 that comes from the user at the
start of the function.  The "arg->vec_len * sizeof(struct page_region))"
multiplication can lead to integer wrapping.  Use size_mul() to avoid
that.

Also the size_add/mul() functions work on unsigned long so for 32bit
systems we need to ensure that "arg->vec_len" fits in an unsigned long.

Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 fs/proc/task_mmu.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index f57ea9b308bb..38a5a3e9cba2 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
 		return -EFAULT;
 	if (!arg->vec && arg->vec_len)
 		return -EINVAL;
+	if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)
+		return -EINVAL;
 	if (arg->vec && !access_ok((void __user *)(long)arg->vec,
-			      arg->vec_len * sizeof(struct page_region)))
+				   size_mul(arg->vec_len, sizeof(struct page_region))))
 		return -EFAULT;
 
 	/* Fixup default values */
-- 
2.45.2
Re: [PATCH] fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()
Posted by Andrei Vagin 1 week ago 
On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The "arg->vec_len" variable is a u64 that comes from the user at the
> start of the function.  The "arg->vec_len * sizeof(struct page_region))"
> multiplication can lead to integer wrapping.  Use size_mul() to avoid
> that.
>
> Also the size_add/mul() functions work on unsigned long so for 32bit
> systems we need to ensure that "arg->vec_len" fits in an unsigned long.
>
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Cc: stable@vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Acked-by: Andrei Vagin <avagin@google.com>

> ---
>  fs/proc/task_mmu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index f57ea9b308bb..38a5a3e9cba2 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
>                 return -EFAULT;
>         if (!arg->vec && arg->vec_len)
>                 return -EINVAL;
> +       if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)

nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)

Thanks,
Andrei
Re: [PATCH] fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()
Posted by Dan Carpenter 1 week ago 
On Fri, Nov 15, 2024 at 10:49:44AM -0800, Andrei Vagin wrote:
> On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> >
> > The "arg->vec_len" variable is a u64 that comes from the user at the
> > start of the function.  The "arg->vec_len * sizeof(struct page_region))"
> > multiplication can lead to integer wrapping.  Use size_mul() to avoid
> > that.
> >
> > Also the size_add/mul() functions work on unsigned long so for 32bit
> > systems we need to ensure that "arg->vec_len" fits in an unsigned long.
> >
> > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> 
> Acked-by: Andrei Vagin <avagin@google.com>
> 
> > ---
> >  fs/proc/task_mmu.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> > index f57ea9b308bb..38a5a3e9cba2 100644
> > --- a/fs/proc/task_mmu.c
> > +++ b/fs/proc/task_mmu.c
> > @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
> >                 return -EFAULT;
> >         if (!arg->vec && arg->vec_len)
> >                 return -EINVAL;
> > +       if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)
> 
> nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)

I don't like open coding integer overflow checks now that we have size_add().
Historically, we've done a poor job writing them correctly.

Probably the right thing is to add the > SIZE_MAX check to size_add/mul().

#define size_add(a, b) ({							\
	typeof(a) __a = (a);							\
	typeof(b) __b = (b);							\
	unsigned long __res;							\
	if (__a >= SIZE_MAX || __b >= SIZE_MAX)					\
		__res = ULONG_MAX;						\
	else									\
		__res = __size_add(__a, __b);					\
	__res;									\
})

But I think you'd trigger compiler warnings if a or b were a u32 so probably
we'd need to use a _Generic() or something.

regards,
dan carpenter

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.