lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1b18cec7-3d58-4cdc-b653-fb5790d04879@stanley.mountain>
Date: Fri, 15 Nov 2024 22:29:52 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Andrei Vagin <avagin@...gle.com>
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	David Hildenbrand <david@...hat.com>,
	Matthew Wilcox <willy@...radead.org>,
	Oscar Salvador <osalvador@...e.de>,
	Andrii Nakryiko <andrii@...nel.org>,
	Ryan Roberts <ryan.roberts@....com>, Peter Xu <peterx@...hat.com>,
	Michał Mirosław <mirq-linux@...e.qmqm.pl>,
	Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] fs/proc/task_mmu: prevent integer overflow in
 pagemap_scan_get_args()

On Fri, Nov 15, 2024 at 10:49:44AM -0800, Andrei Vagin wrote:
> On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@...aro.org> wrote:
> >
> > The "arg->vec_len" variable is a u64 that comes from the user at the
> > start of the function.  The "arg->vec_len * sizeof(struct page_region))"
> > multiplication can lead to integer wrapping.  Use size_mul() to avoid
> > that.
> >
> > Also the size_add/mul() functions work on unsigned long so for 32bit
> > systems we need to ensure that "arg->vec_len" fits in an unsigned long.
> >
> > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> 
> Acked-by: Andrei Vagin <avagin@...gle.com>
> 
> > ---
> >  fs/proc/task_mmu.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> > index f57ea9b308bb..38a5a3e9cba2 100644
> > --- a/fs/proc/task_mmu.c
> > +++ b/fs/proc/task_mmu.c
> > @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
> >                 return -EFAULT;
> >         if (!arg->vec && arg->vec_len)
> >                 return -EINVAL;
> > +       if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)
> 
> nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)

I don't like open coding integer overflow checks now that we have size_add().
Historically, we've done a poor job writing them correctly.

Probably the right thing is to add the > SIZE_MAX check to size_add/mul().

#define size_add(a, b) ({							\
	typeof(a) __a = (a);							\
	typeof(b) __b = (b);							\
	unsigned long __res;							\
	if (__a >= SIZE_MAX || __b >= SIZE_MAX)					\
		__res = ULONG_MAX;						\
	else									\
		__res = __size_add(__a, __b);					\
	__res;									\
})

But I think you'd trigger compiler warnings if a or b were a u32 so probably
we'd need to use a _Generic() or something.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ