From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dan Carpenter <error27@gmail.com>
Cc: iommu@lists.linux.dev
Subject: Re: [bug report] iommufd: vfio container FD ioctl compatibility
Date: Tue, 15 Nov 2022 16:29:20 -0400 [thread overview]
Message-ID: <Y3P2oEIICOTiVOBH@ziepe.ca> (raw)
In-Reply-To: <Y2Nhj0mIjrSJwO7W@kili>
On Tue, Nov 15, 2022 at 03:45:00PM +0300, Dan Carpenter wrote:
> [ Resending two weeks of email because mutt + msmtp has been silently
> eating my outgoing mail instead of delivering it. *sigh* -dan ]
>
> Hello Jason Gunthorpe,
>
> The patch 32c328dc9b73: "iommufd: vfio container FD ioctl
> compatibility" from Dec 15, 2021, leads to the following Smatch
> static checker warning:
>
> drivers/iommu/iommufd/vfio_compat.c:174 iommufd_vfio_unmap_dma()
> warn: potential integer overflow from user (local copy) 'unmap.iova + unmap.size'
>
> drivers/iommu/iommufd/vfio_compat.c
> 140 static int iommufd_vfio_unmap_dma(struct iommufd_ctx *ictx, unsigned int cmd,
> 141 void __user *arg)
> 142 {
> 143 size_t minsz = offsetofend(struct vfio_iommu_type1_dma_unmap, size);
> 144 /*
> 145 * VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP is obsoleted by the new
> 146 * dirty tracking direction:
> 147 * https://lore.kernel.org/kvm/20220731125503.142683-1-yishaih@nvidia.com/
> 148 * https://lore.kernel.org/kvm/20220428210933.3583-1-joao.m.martins@oracle.com/
> 149 */
> 150 u32 supported_flags = VFIO_DMA_UNMAP_FLAG_ALL;
> 151 struct vfio_iommu_type1_dma_unmap unmap;
> 152 struct iommufd_ioas *ioas;
> 153 unsigned long unmapped;
> 154 int rc;
> 155
> 156 if (copy_from_user(&unmap, arg, minsz))
> 157 return -EFAULT;
> 158
> 159 if (unmap.argsz < minsz || unmap.flags & ~supported_flags)
> 160 return -EINVAL;
> 161
> 162 ioas = get_compat_ioas(ictx);
> 163 if (IS_ERR(ioas))
> 164 return PTR_ERR(ioas);
> 165
> 166 if (unmap.flags & VFIO_DMA_UNMAP_FLAG_ALL) {
> 167 if (unmap.iova != 0 || unmap.size != 0) {
> 168 rc = -EINVAL;
> 169 goto err_put;
> 170 }
> 171 rc = iopt_unmap_all(&ioas->iopt, &unmapped);
> 172 } else {
> 173 if (READ_ONCE(ioas->iopt.disable_large_pages)) {
> --> 174 unsigned long iovas[] = { unmap.iova + unmap.size - 1,
>
> The unmap.iova + unmap.size addition can have an integer overflow. It's
> unclear to me if this is caught later or if it has any negative
> implications.
There are no negative implications to the kernel, which is why I left
it unchecked here.
Do you think we should have the check for the sake of static tools?
Jason
next prev parent reply other threads:[~2022-11-15 20:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-15 12:45 [bug report] iommufd: vfio container FD ioctl compatibility Dan Carpenter
2022-11-15 20:29 ` Jason Gunthorpe [this message]
2022-11-16 18:11 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y3P2oEIICOTiVOBH@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=error27@gmail.com \
--cc=iommu@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox