[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <437ec6fa34af1ccfadee2d62770e52d99ebf75c3.camel@redhat.com>
Date: Fri, 03 Nov 2023 18:56:49 +0100
From: Philipp Stanner <pstanner@...hat.com>
To: Ryusuke Konishi <konishi.ryusuke@...il.com>
Cc: linux-nilfs@...r.kernel.org, linux-kernel@...r.kernel.org,
Dave Airlie <airlied@...hat.com>
Subject: Re: [PATCH] fs/nilfs2: copy userspace-array safely
On Sat, 2023-11-04 at 02:44 +0900, Ryusuke Konishi wrote:
> On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote:
> >
> > ioctl.c utilizes memdup_user() to copy a userspace array. This is
> > done
> > without an overflow-check.
> >
> > Use the new wrapper memdup_array_user() to copy the array more
> > safely.
> >
> > Suggested-by: Dave Airlie <airlied@...hat.com>
> > Signed-off-by: Philipp Stanner <pstanner@...hat.com>
> > ---
> > Linus recently merged this new wrapper for Kernel v6.7
>
> The following overflow check is performed just before the usage of
> memdup_user():
>
> if (nsegs > UINT_MAX / sizeof(__u64))
> goto out;
>
> This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid
> overflowing segment numbers in nilfs_ioctl_clean_segments()") to
> avoid
> overflowing nsegs * sizeof(__u64) in the subsequent call to
> memdup_user().
>
> I learned about memdup_array_user() this time, and it seems to check
> for overflow when multiplying two size_t arguments (i.e. the number
> of
> elements and size of the array to be copied).
>
> Since size_t is 32-bit or 64-bit depending on the architecture, I
> think the overflow check that memdup_array_user() does
> is included in the above upper limit check by UINT_MAX.
>
> So, for security reasons, I don't think this change is necessary.
> (Am
> I missing something?)
No, I think you are right. My commit message was very generic – it's
more about unifying array-duplication.
I should rephrase it.
>
> In terms of cleanup, I think the clarification this patch brings is
> good, but in that case, I'm concerned about the duplication of
> overflow checks.
Alright, so would you prefer a patch that uses memdup_array_user() and,
consequently, removes the preceding check?
Regards,
P.
>
> Thanks,
> Ryusuke Konishi
>
> > ---
> > fs/nilfs2/ioctl.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> > index 40ffade49f38..6a9dceebb18d 100644
> > --- a/fs/nilfs2/ioctl.c
> > +++ b/fs/nilfs2/ioctl.c
> > @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct
> > inode *inode, struct file *filp,
> >
> > /*
> > * argv[4] points to segment numbers this ioctl cleans. We
> > - * use kmalloc() for its buffer because memory used for the
> > - * segment numbers is enough small.
> > + * use kmalloc() for its buffer because the memory used for
> > the
> > + * segment numbers is small enough.
> > */
> > - kbufs[4] = memdup_user((void __user *)(unsigned
> > long)argv[4].v_base,
> > - nsegs * sizeof(__u64));
> > + kbufs[4] = memdup_array_user((void __user *)(unsigned
> > long)argv[4].v_base,
> > + nsegs, sizeof(__u64));
> > if (IS_ERR(kbufs[4])) {
> > ret = PTR_ERR(kbufs[4]);
> > goto out;
> > --
> > 2.41.0
> >
>
Powered by blists - more mailing lists