| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <86a8848d-0ebf-2d0d-4a4a-444560a8651a@nvidia.com>
Date: Tue, 18 Apr 2023 15:26:06 +0300
From: Tariq Toukan <tariqt@...dia.com>
To: Arnd Bergmann <arnd@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] net/mlx4: fix build error from usercopy size check
On 18/04/2023 14:47, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> The array_size() helper is used here to prevent accidental overflow in
> mlx4_init_user_cqes(), but as this returns SIZE_MAX in case an overflow
> would happen, the logic in copy_to_user() now detects that as overflowing
> the source:
>
> In file included from arch/x86/include/asm/preempt.h:9,
> from include/linux/preempt.h:78,
> from include/linux/percpu.h:6,
> from include/linux/context_tracking_state.h:5,
> from include/linux/hardirq.h:5,
> from drivers/net/ethernet/mellanox/mlx4/cq.c:37:
> In function 'check_copy_size',
> inlined from 'copy_to_user' at include/linux/uaccess.h:190:6,
> inlined from 'mlx4_init_user_cqes' at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9,
> inlined from 'mlx4_cq_alloc' at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10:
> include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small
> 244 | __bad_copy_from();
> | ^~~~~~~~~~~~~~~~~
>
> Move the size logic out, and instead use the same size value for the
> comparison and the copy.
>
> Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> drivers/net/ethernet/mellanox/mlx4/cq.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
> index 4d4f9cf9facb..020cb8e2883f 100644
> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
> @@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn)
> static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
> {
> int entries_per_copy = PAGE_SIZE / cqe_size;
> + size_t copy_size = array_size(entries, cqe_size);
> void *init_ents;
> int err = 0;
> int i;
> @@ -304,7 +305,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
> */
> memset(init_ents, 0xcc, PAGE_SIZE);
>
> - if (entries_per_copy < entries) {
> + if (copy_size > PAGE_SIZE) {
> for (i = 0; i < entries / entries_per_copy; i++) {
> err = copy_to_user((void __user *)buf, init_ents, PAGE_SIZE) ?
> -EFAULT : 0;
> @@ -315,7 +316,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
> }
> } else {
> err = copy_to_user((void __user *)buf, init_ents,
> - array_size(entries, cqe_size)) ?
> + copy_size) ?
> -EFAULT : 0;
> }
>
Reviewed-by: Tariq Toukan <tariqt@...dia.com>
Thanks for your patch.
Powered by blists - more mailing lists