From patchwork Fri Jul 7 21:55:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 700254 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FDAAEB64D9 for ; Fri, 7 Jul 2023 21:56:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232787AbjGGV4C (ORCPT ); Fri, 7 Jul 2023 17:56:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232523AbjGGVzv (ORCPT ); Fri, 7 Jul 2023 17:55:51 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0EE9E2102 for ; Fri, 7 Jul 2023 14:55:48 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-c690b153f67so2325625276.2 for ; Fri, 07 Jul 2023 14:55:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1688766947; x=1691358947; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=NbMcVYI2pBRE777guUXN8FaAW75orbR1/eldPHt/4Qo=; b=NOEsj6QlU33fkoMHjc+WtoODa05QBYjoZyIbXV7SYMyRK4hq0SF4tb/6rEhclUqRYC mOAiI18o28n3yIQcsYTOwNtyQs9I4Y75+l2ujaQgav71uvbNCaDX8ZAB71qsYgJ7+xTa uxTM2xxcQMPCK82+u5G0FIcYmJndcJvSC2j4rI/o0BwYIadvkUVSbCsJTgLi+uxz3KVd Q99KgDvVH0Fhf1f3UtgXY26LR8Gv38XOQazfPV3NexlCyCTv+Yqi8QmGof9JmvYLxs5o 0PxXYucNeE0EtG/ra5xrr2THGEnwJn3zj/1ct12e0dwMeVPDE0288jdN/lwXa8MEHOhK 4RFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688766947; x=1691358947; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NbMcVYI2pBRE777guUXN8FaAW75orbR1/eldPHt/4Qo=; b=QDa2ZaMtueEB4NRE2iUi2LizRb8eTFqN4b6vS8h1QrmnDuVN2jgTlZqGcb4Ifmb2jb 3oy4J8NuREENMeKmlFuX7k1c0gtMiWbtQTi62hRoasamLSB5Y/yikO2rPAkZ2cLPZrh4 4aLJM0hz8PDp1xkSu527MQhf19ELuWGET/rJTqevMFlDe6xo0KoEbD+lDM5FZPnSyXuX cAMA+Ll8e9zBXEHJIkXvGrbv2Tqs10z26D9NsDZYP2LbZSndfJWJ0WPWT6mbH4nX9PxE +GwaQQhm5N8UxFnixg8XEoHMnICMur7K3Kp1E5DFqTPBf2jYe7gPvo3e7R0eSi8mPw2E ixWA== X-Gm-Message-State: ABy/qLYKDTZSL+1KYUJT6ea8O4N3KMbMKeclgRyN7n7NmwcxlkzjT6S0 zYcxspgPohE32sIavOxrXJWHd5nCazozCkHbslRW X-Google-Smtp-Source: APBJJlEoVC4taEJfd9VKK1x5AQ0VZDBfiUiNYwaYXwEPy1wLKPyTHC7hYYwTD01ltEHbhNSVCtGCPYme0YQ0PD4Gp2hC X-Received: from axel.svl.corp.google.com ([2620:15c:2a3:200:c201:5125:39d1:ef3f]) (user=axelrasmussen job=sendgmr) by 2002:a25:ac9e:0:b0:c5b:c4:1789 with SMTP id x30-20020a25ac9e000000b00c5b00c41789mr33953ybi.1.1688766947243; Fri, 07 Jul 2023 14:55:47 -0700 (PDT) Date: Fri, 7 Jul 2023 14:55:34 -0700 In-Reply-To: <20230707215540.2324998-1-axelrasmussen@google.com> Mime-Version: 1.0 References: <20230707215540.2324998-1-axelrasmussen@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230707215540.2324998-3-axelrasmussen@google.com> Subject: [PATCH v4 2/8] mm: userfaultfd: check for start + len overflow in validate_range From: Axel Rasmussen To: Alexander Viro , Andrew Morton , Brian Geffon , Christian Brauner , David Hildenbrand , Gaosheng Cui , Huang Ying , Hugh Dickins , James Houghton , "Jan Alexander Steffens (heftig)" , Jiaqi Yan , Jonathan Corbet , Kefeng Wang , "Liam R. Howlett" , Miaohe Lin , Mike Kravetz , "Mike Rapoport (IBM)" , Muchun Song , Nadav Amit , Naoya Horiguchi , Peter Xu , Ryan Roberts , Shuah Khan , Suleiman Souhlal , Suren Baghdasaryan , "T.J. Alumbaugh" , Yu Zhao , ZhangPeng Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, Axel Rasmussen Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Most userfaultfd ioctls take a `start + len` range as an argument. We have the validate_range helper to check that such ranges are valid. However, some (but not all!) ioctls *also* check that `start + len` doesn't wrap around (overflow). Just check for this in validate_range. This saves some repetitive code, and adds the check to some ioctls which weren't bothering to check for it before. Reviewed-by: Peter Xu Signed-off-by: Axel Rasmussen --- fs/userfaultfd.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 7cecd49e078b..2e84684c46f0 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1306,6 +1306,8 @@ static __always_inline int validate_range(struct mm_struct *mm, return -EINVAL; if (len > task_size - start) return -EINVAL; + if (start + len <= start) + return -EINVAL; return 0; } @@ -1760,14 +1762,8 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len); if (ret) goto out; - /* - * double check for wraparound just in case. copy_from_user() - * will later check uffdio_copy.src + uffdio_copy.len to fit - * in the userland range. - */ + ret = -EINVAL; - if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src) - goto out; if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP)) goto out; if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP) @@ -1927,11 +1923,6 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) goto out; ret = -EINVAL; - /* double check for wraparound just in case. */ - if (uffdio_continue.range.start + uffdio_continue.range.len <= - uffdio_continue.range.start) { - goto out; - } if (uffdio_continue.mode & ~(UFFDIO_CONTINUE_MODE_DONTWAKE | UFFDIO_CONTINUE_MODE_WP)) goto out;