[5.4,144/191] uaccess: disallow > INT_MAX copy sizes

Message ID	20200102215844.953035794@linuxfoundation.org
State	New
Headers	show Return-Path: <SRS0=x1Uk=2X=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Kees Cook <keescook@chromium.org>, Dan Carpenter <dan.carpenter@oracle.com>, Alexander Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org> Subject: [PATCH 5.4 144/191] uaccess: disallow > INT_MAX copy sizes Date: Thu, 2 Jan 2020 23:07:06 +0100 Message-Id: <20200102215844.953035794@linuxfoundation.org> In-Reply-To: <20200102215829.911231638@linuxfoundation.org> References: <20200102215829.911231638@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [5.4,004/191] scsi: lpfc: Fix discovery failures when target device connectivity bounces [5.4,006/191] scsi: lpfc: Fix locking on mailbox command completion [5.4,008/191] gpio: mxc: Only get the second IRQ when there is more than one IRQ [5.4,010/191] Input: atmel_mxt_ts - disable IRQ across suspend [5.4,012/191] powerpc/papr_scm: Fix an off-by-one check in papr_scm_meta_{get, set} [5.4,013/191] tools/power/x86/intel-speed-select: Remove warning for unused result [5.4,015/191] iommu: rockchip: Free domain on .domain_free [5.4,017/191] dmaengine: xilinx_dma: Clear desc_pendingcount in xilinx_dma_reset [5.4,018/191] scsi: target: compare full CHAP_A Algorithm strings [5.4,019/191] scsi: lpfc: Fix hardlockup in lpfc_abort_handler [5.4,022/191] scsi: hisi_sas: Replace in_softirq() check in hisi_sas_task_exec() [5.4,023/191] scsi: hisi_sas: Delete the debugfs folder of hisi_sas when the probe fails [5.4,024/191] powerpc/pseries: Mark accumulate_stolen_time() as notrace [5.4,027/191] selftests/powerpc: Fixup clobbers for TM tests [5.4,029/191] dma-debug: add a schedule point in debug_dma_dump_mappings() [5.4,031/191] dma-mapping: fix handling of dma-ranges for reserved memory (again) [5.4,033/191] leds: lm3692x: Handle failure to probe the regulator [5.4,035/191] leds: trigger: netdev: fix handling on interface rename [5.4,037/191] clocksource/drivers/timer-of: Use unique device name instead of timer [5.4,039/191] selftests/powerpc: Skip tm-signal-sigreturn-nt if TM not available [5.4,042/191] ext4: update direct I/O read lock pattern for IOCB_NOWAIT [5.4,043/191] ext4: iomap that extends beyond EOF should be marked dirty [5.4,044/191] jbd2: Fix statistics for the number of logged blocks [5.4,046/191] scsi: lpfc: Fix unexpected error messages during RSCN handling [5.4,049/191] clk: qcom: smd: Add missing pnoc clock [5.4,052/191] irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary [5.4,054/191] dma-direct: check for overflows on 32 bit DMA addresses [5.4,055/191] mfd: mfd-core: Honour Device Trees request to disable a child-device [5.4,059/191] iomap: fix return value of iomap_dio_bio_actor on 32bit systems [5.4,061/191] scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences [5.4,062/191] scsi: zorro_esp: Limit DMA transfers to 65536 bytes (except on Fastlane) [5.4,065/191] powerpc/pseries/cmm: Implement release() function for sysfs device [5.4,066/191] PCI: rpaphp: Dont rely on firmware feature to imply drc-info support [5.4,067/191] PCI: rpaphp: Annotate and correctly byte swap DRC properties [5.4,068/191] PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info [5.4,071/191] powerpc/book3s/mm: Update Oops message to print the correct translation in use [5.4,072/191] scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE [5.4,076/191] dt-bindings: Improve validation build error handling [5.4,077/191] HID: logitech-hidpp: Silence intermittent get_battery_capacity errors [5.4,079/191] ARM: 8937/1: spectre-v2: remove Brahma-B53 from hardening [5.4,082/191] HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transp... [5.4,083/191] watchdog: imx7ulp: Fix reboot hang [5.4,085/191] watchdog: Fix the race between the release of watchdog_core_data and cdev [5.4,087/191] scsi: pm80xx: Fix for SATA device discovery [5.4,088/191] scsi: ufs: Fix error handing during hibern8 enter [5.4,091/191] scsi: target: core: Release SPC-2 reservations when closing a session [5.4,092/191] scsi: ufs: Fix up auto hibern8 enablement [5.4,095/191] f2fs: Fix deadlock in f2fs_gc() context during atomic files handling [5.4,096/191] habanalabs: skip VA block list update in reset flow [5.4,098/191] platform/x86: intel_pmc_core: Fix the SoC naming inconsistency [5.4,100/191] gpio: mpc8xxx: Dont overwrite default irq_set_type callback [5.4,101/191] gpio: lynxpoint: Setup correct IRQ handlers [5.4,106/191] scripts/kallsyms: fix definitely-lost memory leak [5.4,108/191] f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_proje... [5.4,109/191] cifs: Fix use-after-free bug in cifs_reconnect() [5.4,112/191] of: unittest: fix memory leak in attach_node_and_children [5.4,115/191] perf diff: Use llabs() with 64-bit values [5.4,117/191] perf regs: Make perf_reg_name() return "unknown" instead of NULL [5.4,118/191] s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR [5.4,120/191] libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h [5.4,122/191] s390/cpum_sf: Check for SDBT and SDB consistency [5.4,123/191] ocfs2: fix passing zero to PTR_ERR warning [5.4,125/191] s390: disable preemption when switching to nodat stack with CALL_ON_STACK [5.4,126/191] selftests: vm: add fragment CONFIG_TEST_VMALLOC [5.4,127/191] mm/hugetlbfs: fix error handling when setting up mounts [5.4,131/191] sctp: fix err handling of stream initialization [5.4,133/191] Revert "iwlwifi: assign directly to iwl_trans->cfg in QuZ detection" [5.4,135/191] 6pack,mkiss: fix possible deadlock [5.4,137/191] net/smc: add fallback check to connect() [5.4,140/191] net: add a READ_ONCE() in skb_peek_tail() [5.4,141/191] net: icmp: fix data-race in cmp_global_allow() [5.4,143/191] tomoyo: Dont use nifty names on sockets. [5.4,144/191] uaccess: disallow > INT_MAX copy sizes [5.4,145/191] drm: limit to INT_MAX in create_blob ioctl [5.4,147/191] cxgb4/cxgb4vf: fix flow control display for auto negotiation [5.4,149/191] net/mlxfw: Fix out-of-memory error in mfa2 flash burning [5.4,151/191] net/sched: act_mirred: Pull mac prior redir to non mac_header_xmit device [5.4,152/191] net/sched: add delete_empty() to filters and use it in cls_flower [5.4,155/191] ptp: fix the race between the release of ptp_clock and cdev [5.4,156/191] tcp: Fix highest_sack and highest_sack_seq [5.4,158/191] bnxt_en: Fix MSIX request logic for RDMA driver. [5.4,162/191] bnxt_en: Remove unnecessary NULL checks for fw_health [5.4,164/191] bnxt_en: Add missing devlink health reporters for VFs. [5.4,165/191] mlxsw: spectrum_router: Skip loopback RIFs during MAC validation [5.4,167/191] net: add bool confirm_neigh parameter for dst_ops.update_pmtu [5.4,170/191] net/dst: add new function skb_dst_update_pmtu_no_confirm [5.4,172/191] vti: do not confirm neighbor when do pmtu update [5.4,173/191] sit: do not confirm neighbor when do pmtu update [5.4,175/191] net: dsa: sja1105: Reconcile the meaning of TPID and TPID2 for E/T and P/Q/R/S [5.4,178/191] gtp: avoid zero size hashtable [5.4,181/191] tcp/dccp: fix possible race __inet_lookup_established() [5.4,183/191] gtp: fix an use-after-free in ipv4_pdp_find() [5.4,184/191] gtp: do not allow adding duplicate tid and ms_addr pdp context [5.4,186/191] ipv6/addrconf: only check invalid header values when NETLINK_F_STRICT_CHK is set [5.4,187/191] net: phylink: fix interface passed to mac_link_up

Message ID

20200102215844.953035794@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.4 144/191] uaccess: disallow > INT_MAX copy sizes
Date: Thu,  2 Jan 2020 23:07:06 +0100
Message-Id: <20200102215844.953035794@linuxfoundation.org>
In-Reply-To: <20200102215829.911231638@linuxfoundation.org>
References: <20200102215829.911231638@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg KH Jan. 2, 2020, 10:07 p.m. UTC

From: Kees Cook <keescook@chromium.org>

commit 6d13de1489b6bf539695f96d945de3860e6d5e17 upstream.

As we've done with VFS, string operations, etc, reject usercopy sizes
larger than INT_MAX, which would be nice to have for catching bugs
related to size calculation overflows[1].

This adds 10 bytes to x86_64 defconfig text and 1980 bytes to the data
section:

     text    data     bss     dec     hex filename
  19691167        5134320 1646664 26472151        193eed7 vmlinux.before
  19691177        5136300 1646664 26474141        193f69d vmlinux.after

[1] https://marc.info/?l=linux-s390&m=156631939010493&w=2

Link: http://lkml.kernel.org/r/201908251612.F9902D7A@keescook
Signed-off-by: Kees Cook <keescook@chromium.org>
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/thread_info.h |    2 ++
 1 file changed, 2 insertions(+)

--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -147,6 +147,8 @@  check_copy_size(const void *addr, size_t
 			__bad_copy_to();
 		return false;
 	}
+	if (WARN_ON_ONCE(bytes > INT_MAX))
+		return false;
 	check_object_size(addr, bytes, is_source);
 	return true;
 }

[5.4,144/191] uaccess: disallow > INT_MAX copy sizes

Commit Message

Patch