* [PATCH] fs/nilfs2: copy userspace-array safely @ 2023-11-02 18:37 Philipp Stanner 2023-11-03 17:44 ` Ryusuke Konishi 0 siblings, 1 reply; 4+ messages in thread From: Philipp Stanner @ 2023-11-02 18:37 UTC (permalink / raw) To: Ryusuke Konishi; +Cc: linux-nilfs, linux-kernel, Philipp Stanner, Dave Airlie ioctl.c utilizes memdup_user() to copy a userspace array. This is done without an overflow-check. Use the new wrapper memdup_array_user() to copy the array more safely. Suggested-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> --- Linus recently merged this new wrapper for Kernel v6.7 --- fs/nilfs2/ioctl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 40ffade49f38..6a9dceebb18d 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, /* * argv[4] points to segment numbers this ioctl cleans. We - * use kmalloc() for its buffer because memory used for the - * segment numbers is enough small. + * use kmalloc() for its buffer because the memory used for the + * segment numbers is small enough. */ - kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base, - nsegs * sizeof(__u64)); + kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base, + nsegs, sizeof(__u64)); if (IS_ERR(kbufs[4])) { ret = PTR_ERR(kbufs[4]); goto out; -- 2.41.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] fs/nilfs2: copy userspace-array safely 2023-11-02 18:37 [PATCH] fs/nilfs2: copy userspace-array safely Philipp Stanner @ 2023-11-03 17:44 ` Ryusuke Konishi 2023-11-03 17:56 ` Philipp Stanner 0 siblings, 1 reply; 4+ messages in thread From: Ryusuke Konishi @ 2023-11-03 17:44 UTC (permalink / raw) To: Philipp Stanner; +Cc: linux-nilfs, linux-kernel, Dave Airlie On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote: > > ioctl.c utilizes memdup_user() to copy a userspace array. This is done > without an overflow-check. > > Use the new wrapper memdup_array_user() to copy the array more safely. > > Suggested-by: Dave Airlie <airlied@redhat.com> > Signed-off-by: Philipp Stanner <pstanner@redhat.com> > --- > Linus recently merged this new wrapper for Kernel v6.7 The following overflow check is performed just before the usage of memdup_user(): if (nsegs > UINT_MAX / sizeof(__u64)) goto out; This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()") to avoid overflowing nsegs * sizeof(__u64) in the subsequent call to memdup_user(). I learned about memdup_array_user() this time, and it seems to check for overflow when multiplying two size_t arguments (i.e. the number of elements and size of the array to be copied). Since size_t is 32-bit or 64-bit depending on the architecture, I think the overflow check that memdup_array_user() does is included in the above upper limit check by UINT_MAX. So, for security reasons, I don't think this change is necessary. (Am I missing something?) In terms of cleanup, I think the clarification this patch brings is good, but in that case, I'm concerned about the duplication of overflow checks. Thanks, Ryusuke Konishi > --- > fs/nilfs2/ioctl.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c > index 40ffade49f38..6a9dceebb18d 100644 > --- a/fs/nilfs2/ioctl.c > +++ b/fs/nilfs2/ioctl.c > @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, > > /* > * argv[4] points to segment numbers this ioctl cleans. We > - * use kmalloc() for its buffer because memory used for the > - * segment numbers is enough small. > + * use kmalloc() for its buffer because the memory used for the > + * segment numbers is small enough. > */ > - kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base, > - nsegs * sizeof(__u64)); > + kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base, > + nsegs, sizeof(__u64)); > if (IS_ERR(kbufs[4])) { > ret = PTR_ERR(kbufs[4]); > goto out; > -- > 2.41.0 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fs/nilfs2: copy userspace-array safely 2023-11-03 17:44 ` Ryusuke Konishi @ 2023-11-03 17:56 ` Philipp Stanner 2023-11-03 18:08 ` Ryusuke Konishi 0 siblings, 1 reply; 4+ messages in thread From: Philipp Stanner @ 2023-11-03 17:56 UTC (permalink / raw) To: Ryusuke Konishi; +Cc: linux-nilfs, linux-kernel, Dave Airlie On Sat, 2023-11-04 at 02:44 +0900, Ryusuke Konishi wrote: > On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote: > > > > ioctl.c utilizes memdup_user() to copy a userspace array. This is > > done > > without an overflow-check. > > > > Use the new wrapper memdup_array_user() to copy the array more > > safely. > > > > Suggested-by: Dave Airlie <airlied@redhat.com> > > Signed-off-by: Philipp Stanner <pstanner@redhat.com> > > --- > > Linus recently merged this new wrapper for Kernel v6.7 > > The following overflow check is performed just before the usage of > memdup_user(): > > if (nsegs > UINT_MAX / sizeof(__u64)) > goto out; > > This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid > overflowing segment numbers in nilfs_ioctl_clean_segments()") to > avoid > overflowing nsegs * sizeof(__u64) in the subsequent call to > memdup_user(). > > I learned about memdup_array_user() this time, and it seems to check > for overflow when multiplying two size_t arguments (i.e. the number > of > elements and size of the array to be copied). > > Since size_t is 32-bit or 64-bit depending on the architecture, I > think the overflow check that memdup_array_user() does > is included in the above upper limit check by UINT_MAX. > > So, for security reasons, I don't think this change is necessary. > (Am > I missing something?) No, I think you are right. My commit message was very generic – it's more about unifying array-duplication. I should rephrase it. > > In terms of cleanup, I think the clarification this patch brings is > good, but in that case, I'm concerned about the duplication of > overflow checks. Alright, so would you prefer a patch that uses memdup_array_user() and, consequently, removes the preceding check? Regards, P. > > Thanks, > Ryusuke Konishi > > > --- > > fs/nilfs2/ioctl.c | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c > > index 40ffade49f38..6a9dceebb18d 100644 > > --- a/fs/nilfs2/ioctl.c > > +++ b/fs/nilfs2/ioctl.c > > @@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct > > inode *inode, struct file *filp, > > > > /* > > * argv[4] points to segment numbers this ioctl cleans. We > > - * use kmalloc() for its buffer because memory used for the > > - * segment numbers is enough small. > > + * use kmalloc() for its buffer because the memory used for > > the > > + * segment numbers is small enough. > > */ > > - kbufs[4] = memdup_user((void __user *)(unsigned > > long)argv[4].v_base, > > - nsegs * sizeof(__u64)); > > + kbufs[4] = memdup_array_user((void __user *)(unsigned > > long)argv[4].v_base, > > + nsegs, sizeof(__u64)); > > if (IS_ERR(kbufs[4])) { > > ret = PTR_ERR(kbufs[4]); > > goto out; > > -- > > 2.41.0 > > > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fs/nilfs2: copy userspace-array safely 2023-11-03 17:56 ` Philipp Stanner @ 2023-11-03 18:08 ` Ryusuke Konishi 0 siblings, 0 replies; 4+ messages in thread From: Ryusuke Konishi @ 2023-11-03 18:08 UTC (permalink / raw) To: Philipp Stanner; +Cc: linux-nilfs, linux-kernel, Dave Airlie On Sat, Nov 4, 2023 at 2:56 AM Philipp Stanner wrote: > > On Sat, 2023-11-04 at 02:44 +0900, Ryusuke Konishi wrote: > > On Fri, Nov 3, 2023 at 3:38 AM Philipp Stanner wrote: > > > > > > ioctl.c utilizes memdup_user() to copy a userspace array. This is > > > done > > > without an overflow-check. > > > > > > Use the new wrapper memdup_array_user() to copy the array more > > > safely. > > > > > > Suggested-by: Dave Airlie <airlied@redhat.com> > > > Signed-off-by: Philipp Stanner <pstanner@redhat.com> > > > --- > > > Linus recently merged this new wrapper for Kernel v6.7 > > > > The following overflow check is performed just before the usage of > > memdup_user(): > > > > if (nsegs > UINT_MAX / sizeof(__u64)) > > goto out; > > > > This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid > > overflowing segment numbers in nilfs_ioctl_clean_segments()") to > > avoid > > overflowing nsegs * sizeof(__u64) in the subsequent call to > > memdup_user(). > > > > I learned about memdup_array_user() this time, and it seems to check > > for overflow when multiplying two size_t arguments (i.e. the number > > of > > elements and size of the array to be copied). > > > > Since size_t is 32-bit or 64-bit depending on the architecture, I > > think the overflow check that memdup_array_user() does > > is included in the above upper limit check by UINT_MAX. > > > > So, for security reasons, I don't think this change is necessary. > > (Am > > I missing something?) > > No, I think you are right. My commit message was very generic – it's > more about unifying array-duplication. > I should rephrase it. > > > > > In terms of cleanup, I think the clarification this patch brings is > > good, but in that case, I'm concerned about the duplication of > > overflow checks. > > Alright, so would you prefer a patch that uses memdup_array_user() and, > consequently, removes the preceding check? > > Regards, > P. Yeah. If you could revise it as a cleanup patch, I would like to adopt it for the next cycle. Regards, Ryusuke Konishi ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-11-03 18:09 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-11-02 18:37 [PATCH] fs/nilfs2: copy userspace-array safely Philipp Stanner 2023-11-03 17:44 ` Ryusuke Konishi 2023-11-03 17:56 ` Philipp Stanner 2023-11-03 18:08 ` Ryusuke Konishi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox