* [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length()
@ 2022-10-04 22:59 Borys
2022-10-04 23:15 ` Jarkko Sakkinen
2022-11-08 20:02 ` [tip: x86/urgent] " tip-bot2 for Borys Popławski
0 siblings, 2 replies; 4+ messages in thread
From: Borys @ 2022-10-04 22:59 UTC (permalink / raw)
To: Jarkko Sakkinen, Dave Hansen, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, x86, H. Peter Anvin, linux-sgx, linux-kernel
Cc: Reinette Chatre, Michał Kowalczyk
sgx_validate_offset_length() function verifies "offset" and "length"
arguments provided by userspace, but was missing an overflow check on
their addition.
This code was originally introduced in commit c6d26d370767 ("x86/sgx:
Add SGX_IOC_ENCLAVE_ADD_PAGES") and later refactored in commit
dda03e2c331b ("x86/sgx: Create utility to validate user provided offset
and length").
Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES")
Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
---
Applies on top of tip/x86/sgx ee56a283988d739c25d2d00ffb22707cb487ab47
arch/x86/kernel/cpu/sgx/ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index ebe79d60619f..da8b8ea6b063 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -356,6 +356,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
if (!length || !IS_ALIGNED(length, PAGE_SIZE))
return -EINVAL;
+ if (offset + length < offset)
+ return -EINVAL;
+
if (offset + length - PAGE_SIZE >= encl->size)
return -EINVAL;
--
2.37.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length()
2022-10-04 22:59 [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length() Borys
@ 2022-10-04 23:15 ` Jarkko Sakkinen
2022-11-08 19:08 ` Reinette Chatre
2022-11-08 20:02 ` [tip: x86/urgent] " tip-bot2 for Borys Popławski
1 sibling, 1 reply; 4+ messages in thread
From: Jarkko Sakkinen @ 2022-10-04 23:15 UTC (permalink / raw)
To: Borys
Cc: Dave Hansen, Thomas Gleixner, Ingo Molnar, Borislav Petkov, x86,
H. Peter Anvin, linux-sgx, linux-kernel, Reinette Chatre,
Michał Kowalczyk
On Wed, Oct 05, 2022 at 12:59:03AM +0200, Borys wrote:
> sgx_validate_offset_length() function verifies "offset" and "length"
> arguments provided by userspace, but was missing an overflow check on
> their addition.
> This code was originally introduced in commit c6d26d370767 ("x86/sgx:
> Add SGX_IOC_ENCLAVE_ADD_PAGES") and later refactored in commit
> dda03e2c331b ("x86/sgx: Create utility to validate user provided offset
> and length").
>
> Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES")
> Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
> ---
> Applies on top of tip/x86/sgx ee56a283988d739c25d2d00ffb22707cb487ab47
>
> arch/x86/kernel/cpu/sgx/ioctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
> index ebe79d60619f..da8b8ea6b063 100644
> --- a/arch/x86/kernel/cpu/sgx/ioctl.c
> +++ b/arch/x86/kernel/cpu/sgx/ioctl.c
> @@ -356,6 +356,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
> if (!length || !IS_ALIGNED(length, PAGE_SIZE))
> return -EINVAL;
>
> + if (offset + length < offset)
> + return -EINVAL;
> +
> if (offset + length - PAGE_SIZE >= encl->size)
> return -EINVAL;
>
> --
> 2.37.3
>
Thank you.
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BTW, needs:
Cc: stable@vger.kernel.org # v5.11+
BR, Jarkko
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length()
2022-10-04 23:15 ` Jarkko Sakkinen
@ 2022-11-08 19:08 ` Reinette Chatre
0 siblings, 0 replies; 4+ messages in thread
From: Reinette Chatre @ 2022-11-08 19:08 UTC (permalink / raw)
To: Jarkko Sakkinen, Borys, Dave Hansen, Thomas Gleixner,
Ingo Molnar, Borislav Petkov, x86
Cc: H. Peter Anvin, linux-sgx, linux-kernel, Michał Kowalczyk
(Move x86 maintainers to "To:")
Hi Maintainers,
Could you please consider this fix for inclusion?
Thank you very much
Reinette
On 10/4/2022 4:15 PM, Jarkko Sakkinen wrote:
> On Wed, Oct 05, 2022 at 12:59:03AM +0200, Borys wrote:
>> sgx_validate_offset_length() function verifies "offset" and "length"
>> arguments provided by userspace, but was missing an overflow check on
>> their addition.
>> This code was originally introduced in commit c6d26d370767 ("x86/sgx:
>> Add SGX_IOC_ENCLAVE_ADD_PAGES") and later refactored in commit
>> dda03e2c331b ("x86/sgx: Create utility to validate user provided offset
>> and length").
>>
>> Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES")
>> Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
>> ---
>> Applies on top of tip/x86/sgx ee56a283988d739c25d2d00ffb22707cb487ab47
>>
>> arch/x86/kernel/cpu/sgx/ioctl.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
>> index ebe79d60619f..da8b8ea6b063 100644
>> --- a/arch/x86/kernel/cpu/sgx/ioctl.c
>> +++ b/arch/x86/kernel/cpu/sgx/ioctl.c
>> @@ -356,6 +356,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
>> if (!length || !IS_ALIGNED(length, PAGE_SIZE))
>> return -EINVAL;
>>
>> + if (offset + length < offset)
>> + return -EINVAL;
>> +
>> if (offset + length - PAGE_SIZE >= encl->size)
>> return -EINVAL;
>>
>> --
>> 2.37.3
>>
>
> Thank you.
>
> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> BTW, needs:
>
> Cc: stable@vger.kernel.org # v5.11+
>
> BR, Jarkko
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tip: x86/urgent] x86/sgx: Add overflow check in sgx_validate_offset_length()
2022-10-04 22:59 [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length() Borys
2022-10-04 23:15 ` Jarkko Sakkinen
@ 2022-11-08 20:02 ` tip-bot2 for Borys Popławski
1 sibling, 0 replies; 4+ messages in thread
From: tip-bot2 for Borys Popławski @ 2022-11-08 20:02 UTC (permalink / raw)
To: linux-tip-commits
Cc: borysp, Borislav Petkov, Jarkko Sakkinen, stable, #, v5.11+,
x86, linux-kernel
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: f0861f49bd946ff94fce4f82509c45e167f63690
Gitweb: https://git.kernel.org/tip/f0861f49bd946ff94fce4f82509c45e167f63690
Author: Borys Popławski <borysp@invisiblethingslab.com>
AuthorDate: Wed, 05 Oct 2022 00:59:03 +02:00
Committer: Borislav Petkov <bp@suse.de>
CommitterDate: Tue, 08 Nov 2022 20:34:05 +01:00
x86/sgx: Add overflow check in sgx_validate_offset_length()
sgx_validate_offset_length() function verifies "offset" and "length"
arguments provided by userspace, but was missing an overflow check on
their addition. Add it.
Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES")
Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Cc: stable@vger.kernel.org # v5.11+
Link: https://lore.kernel.org/r/0d91ac79-6d84-abed-5821-4dbe59fa1a38@invisiblethingslab.com
---
arch/x86/kernel/cpu/sgx/ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index ebe79d6..da8b8ea 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -356,6 +356,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
if (!length || !IS_ALIGNED(length, PAGE_SIZE))
return -EINVAL;
+ if (offset + length < offset)
+ return -EINVAL;
+
if (offset + length - PAGE_SIZE >= encl->size)
return -EINVAL;
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-08 20:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-04 22:59 [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length() Borys
2022-10-04 23:15 ` Jarkko Sakkinen
2022-11-08 19:08 ` Reinette Chatre
2022-11-08 20:02 ` [tip: x86/urgent] " tip-bot2 for Borys Popławski
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.