[PATCH v4 2/8] mm: userfaultfd: check for start + len overflow in validate_range

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Axel Rasmussen <axelrasmussen@google.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	 Brian Geffon <bgeffon@google.com>,
	Christian Brauner <brauner@kernel.org>,
	 David Hildenbrand <david@redhat.com>,
	Gaosheng Cui <cuigaosheng1@huawei.com>,
	 Huang Ying <ying.huang@intel.com>,
	Hugh Dickins <hughd@google.com>,
	 James Houghton <jthoughton@google.com>,
	 "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>,
	Jiaqi Yan <jiaqiyan@google.com>,
	 Jonathan Corbet <corbet@lwn.net>,
	Kefeng Wang <wangkefeng.wang@huawei.com>,
	 "Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Miaohe Lin <linmiaohe@huawei.com>,
	 Mike Kravetz <mike.kravetz@oracle.com>,
	"Mike Rapoport (IBM)" <rppt@kernel.org>,
	 Muchun Song <muchun.song@linux.dev>,
	Nadav Amit <namit@vmware.com>,
	 Naoya Horiguchi <naoya.horiguchi@nec.com>,
	Peter Xu <peterx@redhat.com>,
	 Ryan Roberts <ryan.roberts@arm.com>,
	Shuah Khan <shuah@kernel.org>,
	 Suleiman Souhlal <suleiman@google.com>,
	Suren Baghdasaryan <surenb@google.com>,
	 "T.J. Alumbaugh" <talumbau@google.com>,
	Yu Zhao <yuzhao@google.com>,  ZhangPeng <zhangpeng362@huawei.com>
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	 linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	 linux-kselftest@vger.kernel.org,
	Axel Rasmussen <axelrasmussen@google.com>
Subject: [PATCH v4 2/8] mm: userfaultfd: check for start + len overflow in validate_range
Date: Fri,  7 Jul 2023 14:55:34 -0700	[thread overview]
Message-ID: <20230707215540.2324998-3-axelrasmussen@google.com> (raw)
In-Reply-To: <20230707215540.2324998-1-axelrasmussen@google.com>

Most userfaultfd ioctls take a `start + len` range as an argument.
We have the validate_range helper to check that such ranges are valid.
However, some (but not all!) ioctls *also* check that `start + len`
doesn't wrap around (overflow).

Just check for this in validate_range. This saves some repetitive code,
and adds the check to some ioctls which weren't bothering to check for
it before.

Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
---
 fs/userfaultfd.c | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 7cecd49e078b..2e84684c46f0 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1306,6 +1306,8 @@ static __always_inline int validate_range(struct mm_struct *mm,
 		return -EINVAL;
 	if (len > task_size - start)
 		return -EINVAL;
+	if (start + len <= start)
+		return -EINVAL;
 	return 0;
 }
 
@@ -1760,14 +1762,8 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
 	ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len);
 	if (ret)
 		goto out;
-	/*
-	 * double check for wraparound just in case. copy_from_user()
-	 * will later check uffdio_copy.src + uffdio_copy.len to fit
-	 * in the userland range.
-	 */
+
 	ret = -EINVAL;
-	if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src)
-		goto out;
 	if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
 		goto out;
 	if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP)
@@ -1927,11 +1923,6 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg)
 		goto out;
 
 	ret = -EINVAL;
-	/* double check for wraparound just in case. */
-	if (uffdio_continue.range.start + uffdio_continue.range.len <=
-	    uffdio_continue.range.start) {
-		goto out;
-	}
 	if (uffdio_continue.mode & ~(UFFDIO_CONTINUE_MODE_DONTWAKE |
 				     UFFDIO_CONTINUE_MODE_WP))
 		goto out;
-- 
2.41.0.255.g8b1d071c50-goog

next prev parent reply	other threads:[~2023-07-07 21:55 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-07 21:55 [PATCH v4 0/8] add UFFDIO_POISON to simulate memory poisoning with UFFD Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 1/8] mm: make PTE_MARKER_SWAPIN_ERROR more general Axel Rasmussen
2023-07-08 15:00   ` Peter Xu
2023-07-09  1:08   ` Andrew Morton
2023-07-10 17:19     ` Axel Rasmussen
2023-07-10 21:59       ` Axel Rasmussen
2023-07-07 21:55 ` Axel Rasmussen [this message]
2023-07-07 21:55 ` [PATCH v4 3/8] mm: userfaultfd: extract file size check out into a helper Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 4/8] mm: userfaultfd: add new UFFDIO_POISON ioctl Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 5/8] mm: userfaultfd: support UFFDIO_POISON for hugetlbfs Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 6/8] mm: userfaultfd: document and enable new UFFDIO_POISON feature Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 7/8] selftests/mm: refactor uffd_poll_thread to allow custom fault handlers Axel Rasmussen
2023-07-08 15:02   ` Peter Xu
2023-07-10 17:08     ` Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 8/8] selftests/mm: add uffd unit test for UFFDIO_POISON Axel Rasmussen
2023-09-21 16:28   ` Ryan Roberts

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7cecd49e078 dfblob:2e84684c46f )
 OR (
bs:"[PATCH v4 2/8] mm: userfaultfd: check for start + len overflow in validate_range" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230707215540.2324998-3-axelrasmussen@google.com \
    --to=axelrasmussen@google.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=bgeffon@google.com \
    --cc=brauner@kernel.org \
    --cc=corbet@lwn.net \
    --cc=cuigaosheng1@huawei.com \
    --cc=david@redhat.com \
    --cc=heftig@archlinux.org \
    --cc=hughd@google.com \
    --cc=jiaqiyan@google.com \
    --cc=jthoughton@google.com \
    --cc=linmiaohe@huawei.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mike.kravetz@oracle.com \
    --cc=muchun.song@linux.dev \
    --cc=namit@vmware.com \
    --cc=naoya.horiguchi@nec.com \
    --cc=peterx@redhat.com \
    --cc=rppt@kernel.org \
    --cc=ryan.roberts@arm.com \
    --cc=shuah@kernel.org \
    --cc=suleiman@google.com \
    --cc=surenb@google.com \
    --cc=talumbau@google.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wangkefeng.wang@huawei.com \
    --cc=ying.huang@intel.com \
    --cc=yuzhao@google.com \
    --cc=zhangpeng362@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).