From: Dan Carpenter <error27@gmail.com>
To: jgg@ziepe.ca
Cc: iommu@lists.linux.dev
Subject: [bug report] iommufd: vfio container FD ioctl compatibility
Date: Tue, 15 Nov 2022 15:45:00 +0300 [thread overview]
Message-ID: <Y2Nhj0mIjrSJwO7W@kili> (raw)
[ Resending two weeks of email because mutt + msmtp has been silently
eating my outgoing mail instead of delivering it. *sigh* -dan ]
Hello Jason Gunthorpe,
The patch 32c328dc9b73: "iommufd: vfio container FD ioctl
compatibility" from Dec 15, 2021, leads to the following Smatch
static checker warning:
drivers/iommu/iommufd/vfio_compat.c:174 iommufd_vfio_unmap_dma()
warn: potential integer overflow from user (local copy) 'unmap.iova + unmap.size'
drivers/iommu/iommufd/vfio_compat.c
140 static int iommufd_vfio_unmap_dma(struct iommufd_ctx *ictx, unsigned int cmd,
141 void __user *arg)
142 {
143 size_t minsz = offsetofend(struct vfio_iommu_type1_dma_unmap, size);
144 /*
145 * VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP is obsoleted by the new
146 * dirty tracking direction:
147 * https://lore.kernel.org/kvm/20220731125503.142683-1-yishaih@nvidia.com/
148 * https://lore.kernel.org/kvm/20220428210933.3583-1-joao.m.martins@oracle.com/
149 */
150 u32 supported_flags = VFIO_DMA_UNMAP_FLAG_ALL;
151 struct vfio_iommu_type1_dma_unmap unmap;
152 struct iommufd_ioas *ioas;
153 unsigned long unmapped;
154 int rc;
155
156 if (copy_from_user(&unmap, arg, minsz))
157 return -EFAULT;
158
159 if (unmap.argsz < minsz || unmap.flags & ~supported_flags)
160 return -EINVAL;
161
162 ioas = get_compat_ioas(ictx);
163 if (IS_ERR(ioas))
164 return PTR_ERR(ioas);
165
166 if (unmap.flags & VFIO_DMA_UNMAP_FLAG_ALL) {
167 if (unmap.iova != 0 || unmap.size != 0) {
168 rc = -EINVAL;
169 goto err_put;
170 }
171 rc = iopt_unmap_all(&ioas->iopt, &unmapped);
172 } else {
173 if (READ_ONCE(ioas->iopt.disable_large_pages)) {
--> 174 unsigned long iovas[] = { unmap.iova + unmap.size - 1,
The unmap.iova + unmap.size addition can have an integer overflow. It's
unclear to me if this is caught later or if it has any negative
implications.
What I remeber from looking at similar code is that because of the - 1,
it's supposed to be allowed to overflow to 0 but not further than that.
In other words the highest allowed value it ULONG_MAX and not
"ULONG_MAX - 1".
175 unmap.iova - 1 };
176
177 rc = iopt_cut_iova(&ioas->iopt, iovas,
178 unmap.iova ? 2 : 1);
179 if (rc)
180 goto err_put;
181 }
182 rc = iopt_unmap_iova(&ioas->iopt, unmap.iova, unmap.size,
183 &unmapped);
184 }
185 unmap.size = unmapped;
186 if (copy_to_user(arg, &unmap, minsz))
187 rc = -EFAULT;
188
189 err_put:
190 iommufd_put_object(&ioas->obj);
191 return rc;
192 }
regards,
dan carpenter
next reply other threads:[~2022-11-15 12:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-15 12:45 Dan Carpenter [this message]
2022-11-15 20:29 ` [bug report] iommufd: vfio container FD ioctl compatibility Jason Gunthorpe
2022-11-16 18:11 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2Nhj0mIjrSJwO7W@kili \
--to=error27@gmail.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox