From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Christian Brauner <brauner@kernel.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Arnd Bergmann <arnd@arndb.de>, Dinh Nguyen <dinguyen@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Alexander Potapenko <glider@google.com>,
Aleksa Sarai <cyphar@cyphar.com>, Sasha Levin <sashal@kernel.org>,
steve@sk2.org, viro@zeniv.linux.org.uk,
christophe.leroy@csgroup.eu
Subject: [PATCH AUTOSEL 5.10 24/27] uaccess: Add minimum bounds check on kernel buffer size
Date: Sun, 26 Feb 2023 09:50:11 -0500 [thread overview]
Message-ID: <20230226145014.828855-24-sashal@kernel.org> (raw)
In-Reply-To: <20230226145014.828855-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 04ffde1319a715bd0550ded3580d4ea3bc003776 ]
While there is logic about the difference between ksize and usize,
copy_struct_from_user() didn't check the size of the destination buffer
(when it was known) against ksize. Add this check so there is an upper
bounds check on the possible memset() call, otherwise lower bounds
checks made by callers will trigger bounds warnings under -Warray-bounds.
Seen under GCC 13:
In function 'copy_struct_from_user',
inlined from 'iommufd_fops_ioctl' at
../drivers/iommu/iommufd/main.c:333:8:
../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' with type 'union ucmd_buffer' [-Warray-bounds=]
59 | #define __underlying_memset __builtin_memset
| ^
../include/linux/fortify-string.h:453:9: note: in expansion of macro '__underlying_memset'
453 | __underlying_memset(p, c, __fortify_size); \
| ^~~~~~~~~~~~~~~~~~~
../include/linux/fortify-string.h:461:25: note: in expansion of macro '__fortify_memset_chk'
461 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \
| ^~~~~~~~~~~~~~~~~~~~
../include/linux/uaccess.h:334:17: note: in expansion of macro 'memset'
334 | memset(dst + size, 0, rest);
| ^~~~~~
../drivers/iommu/iommufd/main.c: In function 'iommufd_fops_ioctl':
../drivers/iommu/iommufd/main.c:311:27: note: 'buf' declared here
311 | union ucmd_buffer buf;
| ^~~
Cc: Christian Brauner <brauner@kernel.org>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Dinh Nguyen <dinguyen@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Alexander Potapenko <glider@google.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/lkml/20230203193523.never.667-kees@kernel.org/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/uaccess.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index c7c6e8b8344d4..20668760daa02 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -348,6 +348,10 @@ copy_struct_from_user(void *dst, size_t ksize, const void __user *src,
size_t size = min(ksize, usize);
size_t rest = max(ksize, usize) - size;
+ /* Double check if ksize is larger than a known object size. */
+ if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1)))
+ return -E2BIG;
+
/* Deal with trailing bytes. */
if (usize < ksize) {
memset(dst + size, 0, rest);
--
2.39.0
next prev parent reply other threads:[~2023-02-26 14:56 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-26 14:49 [PATCH AUTOSEL 5.10 01/27] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 02/27] wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 03/27] rcu: Make RCU_LOCKDEP_WARN() avoid early lockdep checks Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 04/27] rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 05/27] rcu-tasks: Make rude RCU-Tasks work well with CPU hotplug Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 06/27] wifi: ath11k: debugfs: fix to work with multiple PCI devices Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 07/27] thermal: intel: Fix unsigned comparison with less than zero Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 08/27] timers: Prevent union confusion from unexpected restart_syscall() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 09/27] x86/bugs: Reset speculation control settings on init Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 10/27] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 11/27] wifi: mt7601u: fix an integer underflow Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 12/27] inet: fix fast path in __inet_hash_connect() Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 13/27] ice: add missing checks for PF vsi type Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 14/27] ACPI: Don't build ACPICA with '-Os' Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 15/27] clocksource: Suspend the watchdog temporarily when high read latency detected Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 16/27] crypto: hisilicon: Wipe entire pool on error Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 17/27] netpoll: Remove 4s sleep during carrier detection Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 18/27] net: bcmgenet: Add a check for oversized packets Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 19/27] m68k: Check syscall_trace_enter() return code Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 20/27] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 21/27] ACPI: video: Fix Lenovo Ideapad Z570 DMI match Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 22/27] net/mlx5: fw_tracer: Fix debug print Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 23/27] coda: Avoid partial allocation of sig_inputArgs Sasha Levin
2023-02-26 14:50 ` Sasha Levin [this message]
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 25/27] PM: EM: fix memory leak with using debugfs_lookup() Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 26/27] Bluetooth: btusb: Add VID:PID 13d3:3529 for Realtek RTL8821CE Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 27/27] devlink: health: Fix nla_nest_end in error flow Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230226145014.828855-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=cyphar@cyphar.com \
--cc=dinguyen@kernel.org \
--cc=geert@linux-m68k.org \
--cc=glider@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=stable@vger.kernel.org \
--cc=steve@sk2.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).