From patchwork Thu Jul 6 22:50:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 699935 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89138EB64DC for ; Thu, 6 Jul 2023 22:50:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231468AbjGFWu5 (ORCPT ); Thu, 6 Jul 2023 18:50:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231334AbjGFWuz (ORCPT ); Thu, 6 Jul 2023 18:50:55 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1626E19BD for ; Thu, 6 Jul 2023 15:50:54 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-c5e3d2c339aso1226520276.3 for ; Thu, 06 Jul 2023 15:50:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1688683853; x=1691275853; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=dr4h9VGDfsn/VMT+xHDPiOp9dXBZSKUD38K7YaReMD4=; b=oG6cUbXqueLNKCE01QfHG46TYxjrnSczrRs1z4fAd0XehnlwpZ6QzxEJt4W2Ue3oTg jmIlcVMPOO3wBc5Jmpx0+P7PdoVG9zHOG4l9JNotEr1VVRKn8UBqflwPIUBZiM7amwz3 tHjgfEOpZHvakwUYyo/kFliQBAwyxEYaH9p9Krdz4uCEX03XtWL0k4huwPf4JMBUWiuJ vH0FF8WK3+d9dnq2JbKxfTWxmC9bR4z1x++0EIg8VN51Y6zcrk9sFkWFs+n0Ee8WaTrI T/JjfeQ68QMFZsZ0wuD8e82BwZ+qeWxNN+55lMptu2IruYWfXF6lh4uEunTtWoQohPkt /enw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688683853; x=1691275853; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dr4h9VGDfsn/VMT+xHDPiOp9dXBZSKUD38K7YaReMD4=; b=B/FpwC1lDh0SHCCW1/kK3nxiCE2QcOWCe9zxxmh2+alxiPHUjmH2uJ87iFQ0EWrqOh iA9KTeGtObnzJaMiRtVuIhucgLrDMrqYcnTpXx7Nthks2iVnIj0NKZ32fzGoB44eXn6z wVO6bo52HYADYQY+C4Dpm2uDE4932a3CrUME7pAb6IlEySp0W90ATChjRTLo5PKgPZNF 4PezUG9x0WYUryi5SaP67lxONEn+uvtxkEacsIu7Hhe+V/fkfCkSEdYzuDUvnq36GDSn ZBhSi8Ju5+u/V/7QZFQteF2ZQS+tDCxjri+79TXELWVwm4L9Y8wiPgGJj+yuhfaQIgek mj8g== X-Gm-Message-State: ABy/qLYIeoBDZCuyN5IUTQlowFEFXRuSE7GsLQ5sVJlb9soie9ci9zls bLL9eMrGzVU5VlgmA5Skh8xGRIPmMIScp3w2mOM/ X-Google-Smtp-Source: APBJJlEl5yfZInV23tQIGQwzZqjUhDMQjVJrb/6PeQU7rd1hzOOT/WdC6F9gqXpUHWmfYN6lE3AUVfAUoi1up8aCXiJW X-Received: from axel.svl.corp.google.com ([2620:15c:2a3:200:bec3:2b1c:87a:fca2]) (user=axelrasmussen job=sendgmr) by 2002:a25:c70e:0:b0:c67:e177:100a with SMTP id w14-20020a25c70e000000b00c67e177100amr19507ybe.4.1688683853333; Thu, 06 Jul 2023 15:50:53 -0700 (PDT) Date: Thu, 6 Jul 2023 15:50:30 -0700 In-Reply-To: <20230706225037.1164380-1-axelrasmussen@google.com> Mime-Version: 1.0 References: <20230706225037.1164380-1-axelrasmussen@google.com> X-Mailer: git-send-email 2.41.0.255.g8b1d071c50-goog Message-ID: <20230706225037.1164380-3-axelrasmussen@google.com> Subject: [PATCH v3 2/8] mm: userfaultfd: check for start + len overflow in validate_range From: Axel Rasmussen To: Alexander Viro , Andrew Morton , Brian Geffon , Christian Brauner , David Hildenbrand , Gaosheng Cui , Huang Ying , Hugh Dickins , James Houghton , "Jan Alexander Steffens (heftig)" , Jiaqi Yan , Jonathan Corbet , Kefeng Wang , "Liam R. Howlett" , Miaohe Lin , Mike Kravetz , "Mike Rapoport (IBM)" , Muchun Song , Nadav Amit , Naoya Horiguchi , Peter Xu , Ryan Roberts , Shuah Khan , Suleiman Souhlal , Suren Baghdasaryan , "T.J. Alumbaugh" , Yu Zhao , ZhangPeng Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, Axel Rasmussen Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Most userfaultfd ioctls take a `start + len` range as an argument. We have the validate_range helper to check that such ranges are valid. However, some (but not all!) ioctls *also* check that `start + len` doesn't wrap around (overflow). Just check for this in validate_range. This saves some repetitive code, and adds the check to some ioctls which weren't bothering to check for it before. Signed-off-by: Axel Rasmussen Reviewed-by: Peter Xu --- fs/userfaultfd.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 7cecd49e078b..2e84684c46f0 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1306,6 +1306,8 @@ static __always_inline int validate_range(struct mm_struct *mm, return -EINVAL; if (len > task_size - start) return -EINVAL; + if (start + len <= start) + return -EINVAL; return 0; } @@ -1760,14 +1762,8 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len); if (ret) goto out; - /* - * double check for wraparound just in case. copy_from_user() - * will later check uffdio_copy.src + uffdio_copy.len to fit - * in the userland range. - */ + ret = -EINVAL; - if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src) - goto out; if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP)) goto out; if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP) @@ -1927,11 +1923,6 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) goto out; ret = -EINVAL; - /* double check for wraparound just in case. */ - if (uffdio_continue.range.start + uffdio_continue.range.len <= - uffdio_continue.range.start) { - goto out; - } if (uffdio_continue.mode & ~(UFFDIO_CONTINUE_MODE_DONTWAKE | UFFDIO_CONTINUE_MODE_WP)) goto out;