| Message ID | 20230714182932.2608735-1-axelrasmussen@google.com |
|---|---|
| State | New |
| Headers | show |
| Series | [mm-unstable,fix] mm: userfaultfd: check for start + len overflow in validate_range: fix | expand |
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 53a7220c4679..36d233759233 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1759,6 +1759,9 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, sizeof(uffdio_copy)-sizeof(__s64))) goto out; + ret = validate_range(ctx->mm, uffdio_copy.src, uffdio_copy.len); + if (ret) + goto out; ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len); if (ret) goto out;
This commit removed an extra check for zero-length ranges, and folded it into the common validate_range() helper used by all UFFD ioctls. It failed to notice though that UFFDIO_COPY *only* called validate_range on the dst range, not the src range. So removing this check actually let us proceed with zero-length source ranges, eventually hitting a BUG further down in the call stack. The correct fix seems clear: call validate_range() on the src range too. Other ioctls are not affected by this, as they only have one range, not two (src + dst). Reported-by: syzbot+42309678e0bc7b32f8e9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=42309678e0bc7b32f8e9 Signed-off-by: Axel Rasmussen <axelrasmussen@google.com> --- fs/userfaultfd.c | 3 +++ 1 file changed, 3 insertions(+)