From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30AA6C6FA8E for ; Sun, 26 Feb 2023 15:01:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230157AbjBZPBB (ORCPT ); Sun, 26 Feb 2023 10:01:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231597AbjBZO7C (ORCPT ); Sun, 26 Feb 2023 09:59:02 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8699E13519; Sun, 26 Feb 2023 06:52:33 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 66FACB80C75; Sun, 26 Feb 2023 14:52:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B42EC4339C; Sun, 26 Feb 2023 14:52:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1677423131; bh=/FC3+Ggio4ki1T4vGBdqxEcyWmAUkzR56/8F1mKQuTo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DWvnEdyOYdQo95jcVD4HhoZuF1p2b//4g08ENul13bEGvW/TxXRT8NiklfIWxusNc r59Dr6xxIrKqJTxJvwNso6L46LYkZNmIGwoukLE+zeaVC0YJ0pFc7X2GN1th/yl+7Y L6ICbjdwAwX9/Q1S19ixMMvLSN9RWtJqIzJeWAwfmTUd/PP5vFg3oQJqC2FUd1F1cs RjnXO9ln4R3RrDcS/AqhNAOBPeDQ7AirfzmftZuzLKo6y6a/oYV1J+3KQSuegxd5xA 1MouwZVcHy+NC6w7ypt8ZP31NvUMhTqHa/WhoM6OEj1/+P7wuNVWlnO9DC4pTPjkT4 xyvEL6OQlFd+g== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , Christian Brauner , Rasmus Villemoes , Arnd Bergmann , Dinh Nguyen , Catalin Marinas , Andrew Morton , Geert Uytterhoeven , Alexander Potapenko , Aleksa Sarai , Sasha Levin , linmiaohe@huawei.com, muchun.song@linux.dev, steve@sk2.org, viro@zeniv.linux.org.uk, christophe.leroy@csgroup.eu Subject: [PATCH AUTOSEL 5.4 18/19] uaccess: Add minimum bounds check on kernel buffer size Date: Sun, 26 Feb 2023 09:51:20 -0500 Message-Id: <20230226145123.829229-18-sashal@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230226145123.829229-1-sashal@kernel.org> References: <20230226145123.829229-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook [ Upstream commit 04ffde1319a715bd0550ded3580d4ea3bc003776 ] While there is logic about the difference between ksize and usize, copy_struct_from_user() didn't check the size of the destination buffer (when it was known) against ksize. Add this check so there is an upper bounds check on the possible memset() call, otherwise lower bounds checks made by callers will trigger bounds warnings under -Warray-bounds. Seen under GCC 13: In function 'copy_struct_from_user', inlined from 'iommufd_fops_ioctl' at ../drivers/iommu/iommufd/main.c:333:8: ../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' with type 'union ucmd_buffer' [-Warray-bounds=] 59 | #define __underlying_memset __builtin_memset | ^ ../include/linux/fortify-string.h:453:9: note: in expansion of macro '__underlying_memset' 453 | __underlying_memset(p, c, __fortify_size); \ | ^~~~~~~~~~~~~~~~~~~ ../include/linux/fortify-string.h:461:25: note: in expansion of macro '__fortify_memset_chk' 461 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ | ^~~~~~~~~~~~~~~~~~~~ ../include/linux/uaccess.h:334:17: note: in expansion of macro 'memset' 334 | memset(dst + size, 0, rest); | ^~~~~~ ../drivers/iommu/iommufd/main.c: In function 'iommufd_fops_ioctl': ../drivers/iommu/iommufd/main.c:311:27: note: 'buf' declared here 311 | union ucmd_buffer buf; | ^~~ Cc: Christian Brauner Cc: Rasmus Villemoes Cc: Arnd Bergmann Cc: Dinh Nguyen Cc: Catalin Marinas Cc: Andrew Morton Cc: Geert Uytterhoeven Cc: Alexander Potapenko Acked-by: Aleksa Sarai Signed-off-by: Kees Cook Link: https://lore.kernel.org/lkml/20230203193523.never.667-kees@kernel.org/ Signed-off-by: Sasha Levin --- include/linux/uaccess.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h index 38555435a64a3..70941f49d66ee 100644 --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -287,6 +287,10 @@ copy_struct_from_user(void *dst, size_t ksize, const void __user *src, size_t size = min(ksize, usize); size_t rest = max(ksize, usize) - size; + /* Double check if ksize is larger than a known object size. */ + if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1))) + return -E2BIG; + /* Deal with trailing bytes. */ if (usize < ksize) { memset(dst + size, 0, rest); -- 2.39.0