| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <39d41335-dd4d-48ed-8a7f-402c57d8ea84@stanley.mountain>
Date: Thu, 14 Nov 2024 11:59:32 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Muhammad Usama Anjum <usama.anjum@...labora.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
David Hildenbrand <david@...hat.com>,
Matthew Wilcox <willy@...radead.org>,
Oscar Salvador <osalvador@...e.de>,
Andrii Nakryiko <andrii@...nel.org>,
Ryan Roberts <ryan.roberts@....com>, Peter Xu <peterx@...hat.com>,
Michał Mirosław <mirq-linux@...e.qmqm.pl>,
Andrei Vagin <avagin@...gle.com>, Arnd Bergmann <arnd@...db.de>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: [PATCH] fs/proc/task_mmu: prevent integer overflow in
pagemap_scan_get_args()
The "arg->vec_len" variable is a u64 that comes from the user at the
start of the function. The "arg->vec_len * sizeof(struct page_region))"
multiplication can lead to integer wrapping. Use size_mul() to avoid
that.
Also the size_add/mul() functions work on unsigned long so for 32bit
systems we need to ensure that "arg->vec_len" fits in an unsigned long.
Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
Cc: stable@...r.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
fs/proc/task_mmu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index f57ea9b308bb..38a5a3e9cba2 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
return -EFAULT;
if (!arg->vec && arg->vec_len)
return -EINVAL;
+ if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)
+ return -EINVAL;
if (arg->vec && !access_ok((void __user *)(long)arg->vec,
- arg->vec_len * sizeof(struct page_region)))
+ size_mul(arg->vec_len, sizeof(struct page_region))))
return -EFAULT;
/* Fixup default values */
--
2.45.2
Powered by blists - more mailing lists