[PATCH v3 2/8] mm: userfaultfd: check for start + len overflow in validate_range

Linux Kernel Selftest development
 help / color / mirror / Atom feed

From: Axel Rasmussen <axelrasmussen@google.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Brian Geffon <bgeffon@google.com>,
	Christian Brauner <brauner@kernel.org>,
	David Hildenbrand <david@redhat.com>,
	Gaosheng Cui <cuigaosheng1@huawei.com>,
	Huang Ying <ying.huang@intel.com>,
	Hugh Dickins <hughd@google.com>,
	James Houghton <jthoughton@google.com>,
	"Jan Alexander Steffens (heftig)" <heftig@archlinux.org>,
	Jiaqi Yan <jiaqiyan@google.com>, Jonathan Corbet <corbet@lwn.net>,
	Kefeng Wang <wangkefeng.wang@huawei.com>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Miaohe Lin <linmiaohe@huawei.com>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	"Mike Rapoport (IBM)" <rppt@kernel.org>,
	Muchun Song <muchun.song@linux.dev>,
	Nadav Amit <namit@vmware.com>,
	Naoya Horiguchi <naoya.horiguchi@nec.com>,
	Peter Xu <peterx@redhat.com>, Ryan Roberts <ryan.roberts@arm.com>,
	Shuah Khan <shuah@kernel.org>,
	Suleiman Souhlal <suleiman@google.com>,
	Suren Baghdasaryan <surenb@google.com>,
	"T.J. Alumbaugh" <talumbau@google.com>,
	Yu Zhao <yuzhao@google.com>, ZhangPeng <zhangpeng362@huawei.com>
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	linux-kselftest@vger.kernel.org,
	Axel Rasmussen <axelrasmussen@google.com>
Subject: [PATCH v3 2/8] mm: userfaultfd: check for start + len overflow in validate_range
Date: Thu,  6 Jul 2023 15:50:30 -0700	[thread overview]
Message-ID: <20230706225037.1164380-3-axelrasmussen@google.com> (raw)
In-Reply-To: <20230706225037.1164380-1-axelrasmussen@google.com>

Most userfaultfd ioctls take a `start + len` range as an argument.
We have the validate_range helper to check that such ranges are valid.
However, some (but not all!) ioctls *also* check that `start + len`
doesn't wrap around (overflow).

Just check for this in validate_range. This saves some repetitive code,
and adds the check to some ioctls which weren't bothering to check for
it before.

Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
---
 fs/userfaultfd.c | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 7cecd49e078b..2e84684c46f0 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1306,6 +1306,8 @@ static __always_inline int validate_range(struct mm_struct *mm,
 		return -EINVAL;
 	if (len > task_size - start)
 		return -EINVAL;
+	if (start + len <= start)
+		return -EINVAL;
 	return 0;
 }
 
@@ -1760,14 +1762,8 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
 	ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len);
 	if (ret)
 		goto out;
-	/*
-	 * double check for wraparound just in case. copy_from_user()
-	 * will later check uffdio_copy.src + uffdio_copy.len to fit
-	 * in the userland range.
-	 */
+
 	ret = -EINVAL;
-	if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src)
-		goto out;
 	if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
 		goto out;
 	if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP)
@@ -1927,11 +1923,6 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg)
 		goto out;
 
 	ret = -EINVAL;
-	/* double check for wraparound just in case. */
-	if (uffdio_continue.range.start + uffdio_continue.range.len <=
-	    uffdio_continue.range.start) {
-		goto out;
-	}
 	if (uffdio_continue.mode & ~(UFFDIO_CONTINUE_MODE_DONTWAKE |
 				     UFFDIO_CONTINUE_MODE_WP))
 		goto out;
-- 
2.41.0.255.g8b1d071c50-goog

next prev parent reply	other threads:[~2023-07-06 22:50 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-06 22:50 [PATCH v3 0/8] add UFFDIO_POISON to simulate memory poisoning with UFFD Axel Rasmussen
2023-07-06 22:50 ` [PATCH v3 1/8] mm: make PTE_MARKER_SWAPIN_ERROR more general Axel Rasmussen
2023-07-07 13:10   ` Peter Xu
2023-07-06 22:50 ` Axel Rasmussen [this message]
2023-07-07 13:14   ` [PATCH v3 2/8] mm: userfaultfd: check for start + len overflow in validate_range Peter Xu
2023-07-06 22:50 ` [PATCH v3 3/8] mm: userfaultfd: extract file size check out into a helper Axel Rasmussen
2023-07-07 13:15   ` Peter Xu
2023-07-06 22:50 ` [PATCH v3 4/8] mm: userfaultfd: add new UFFDIO_POISON ioctl Axel Rasmussen
2023-07-07 13:37   ` Peter Xu
2023-07-07 19:56     ` Axel Rasmussen
2023-07-06 22:50 ` [PATCH v3 5/8] mm: userfaultfd: support UFFDIO_POISON for hugetlbfs Axel Rasmussen
2023-07-07 13:39   ` Peter Xu
2023-07-06 22:50 ` [PATCH v3 6/8] mm: userfaultfd: document and enable new UFFDIO_POISON feature Axel Rasmussen
2023-07-06 22:50 ` [PATCH v3 7/8] selftests/mm: refactor uffd_poll_thread to allow custom fault handlers Axel Rasmussen
2023-07-07 13:42   ` Peter Xu
2023-07-07 17:03     ` Axel Rasmussen
2023-07-07 20:38       ` Axel Rasmussen
2023-07-07 21:00         ` Peter Xu
2023-07-06 22:50 ` [PATCH v3 8/8] selftests/mm: add uffd unit test for UFFDIO_POISON Axel Rasmussen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7cecd49e078 dfblob:2e84684c46f )
 OR (
bs:"[PATCH v3 2/8] mm: userfaultfd: check for start + len overflow in validate_range" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230706225037.1164380-3-axelrasmussen@google.com \
    --to=axelrasmussen@google.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=bgeffon@google.com \
    --cc=brauner@kernel.org \
    --cc=corbet@lwn.net \
    --cc=cuigaosheng1@huawei.com \
    --cc=david@redhat.com \
    --cc=heftig@archlinux.org \
    --cc=hughd@google.com \
    --cc=jiaqiyan@google.com \
    --cc=jthoughton@google.com \
    --cc=linmiaohe@huawei.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mike.kravetz@oracle.com \
    --cc=muchun.song@linux.dev \
    --cc=namit@vmware.com \
    --cc=naoya.horiguchi@nec.com \
    --cc=peterx@redhat.com \
    --cc=rppt@kernel.org \
    --cc=ryan.roberts@arm.com \
    --cc=shuah@kernel.org \
    --cc=suleiman@google.com \
    --cc=surenb@google.com \
    --cc=talumbau@google.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wangkefeng.wang@huawei.com \
    --cc=ying.huang@intel.com \
    --cc=yuzhao@google.com \
    --cc=zhangpeng362@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox