From: Lorenzo Stoakes <ljs@kernel.org>
To: Yi Xie <xieyi@kylinos.cn>
Cc: brauner@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ipc/sem: check nsops overflow in do_semtimedop()
Date: Mon, 29 Jun 2026 11:16:36 +0100 [thread overview]
Message-ID: <akJCnshIArIr1tOZ@lucifer> (raw)
In-Reply-To: <20260629065705.99400-1-xieyi@kylinos.cn>
On Mon, Jun 29, 2026 at 02:57:05PM +0800, Yi Xie wrote:
> do_semtimedop() caps nsops against sc_semopm, but still multiplies it by
> sizeof(struct sembuf) when copying from userspace. That product can
> overflow, so copy_from_user() may not match what kvmalloc_objs() allocated.
This is just incorrect, becasue for copy_from_user() to happen kvmalloc_objs()
would be called -> __alloc_objs() -> size_mul() (saturates) -> -ENOMEM.
>
> Use check_mul_overflow() and return -E2BIG on overflow.
>
> Signed-off-by: Yi Xie <xieyi@kylinos.cn>
> ---
> ipc/sem.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/ipc/sem.c b/ipc/sem.c
> index 5ec41de7e85b..791a0505923b 100644
> --- a/ipc/sem.c
> +++ b/ipc/sem.c
> @@ -86,6 +86,7 @@
> #include <linux/ipc_namespace.h>
> #include <linux/sched/wake_q.h>
> #include <linux/nospec.h>
> +#include <linux/overflow.h>
> #include <linux/rhashtable.h>
>
> #include <linux/uaccess.h>
> @@ -2225,6 +2226,7 @@ static long do_semtimedop(int semid, struct sembuf __user *tsops,
> struct sembuf fast_sops[SEMOPM_FAST];
> struct sembuf *sops = fast_sops;
> struct ipc_namespace *ns;
> + size_t sops_bytes;
Maybe just len or size?
> int ret;
>
> ns = current->nsproxy->ipc_ns;
> @@ -2232,6 +2234,8 @@ static long do_semtimedop(int semid, struct sembuf __user *tsops,
> return -E2BIG;
> if (nsops < 1)
> return -EINVAL;
> + if (check_mul_overflow(nsops, sizeof(*sops), &sops_bytes))
> + return -E2BIG;
struct sembuf is 6 bytes is size, so you'd need some truly enormous
ns->sc_semopm (defaults to SEMOPM == 500) and nsops to get an overflow here, and
it'd only be the case on 32-bit systems also.
But in any case as per above,
kvmalloc_objs() -> __alloc_objs() -> size_mul() (saturates) -> -ENOMEM.
So this check is redundant.
>
> if (nsops > SEMOPM_FAST) {
> sops = kvmalloc_objs(*sops, nsops);
> @@ -2239,7 +2243,7 @@ static long do_semtimedop(int semid, struct sembuf __user *tsops,
> return -ENOMEM;
> }
>
> - if (copy_from_user(sops, tsops, nsops * sizeof(*tsops))) {
> + if (copy_from_user(sops, tsops, sops_bytes)) {
> ret = -EFAULT;
> goto out_free;
> }
> --
> 2.25.1
>
Thanks, Lorenzo
prev parent reply other threads:[~2026-06-29 10:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 6:57 [PATCH] ipc/sem: check nsops overflow in do_semtimedop() Yi Xie
2026-06-29 10:16 ` Lorenzo Stoakes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akJCnshIArIr1tOZ@lucifer \
--to=ljs@kernel.org \
--cc=brauner@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=xieyi@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.