lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEWA0a5vMq4vGRj4FVQXUR2unN-xAmsFt5ymi4SL+H0yfNpdfw@mail.gmail.com>
Date: Fri, 15 Nov 2024 10:49:44 -0800
From: Andrei Vagin <avagin@...gle.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>, Andrew Morton <akpm@...ux-foundation.org>, 
	David Hildenbrand <david@...hat.com>, Matthew Wilcox <willy@...radead.org>, 
	Oscar Salvador <osalvador@...e.de>, Andrii Nakryiko <andrii@...nel.org>, 
	Ryan Roberts <ryan.roberts@....com>, Peter Xu <peterx@...hat.com>, 
	Michał Mirosław <mirq-linux@...e.qmqm.pl>, 
	Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, 
	kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()

On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@...aro.org> wrote:
>
> The "arg->vec_len" variable is a u64 that comes from the user at the
> start of the function.  The "arg->vec_len * sizeof(struct page_region))"
> multiplication can lead to integer wrapping.  Use size_mul() to avoid
> that.
>
> Also the size_add/mul() functions work on unsigned long so for 32bit
> systems we need to ensure that "arg->vec_len" fits in an unsigned long.
>
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Cc: stable@...r.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>

Acked-by: Andrei Vagin <avagin@...gle.com>

> ---
>  fs/proc/task_mmu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index f57ea9b308bb..38a5a3e9cba2 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
>                 return -EFAULT;
>         if (!arg->vec && arg->vec_len)
>                 return -EINVAL;
> +       if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)

nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)

Thanks,
Andrei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ