From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x2276EWt2LD0fy8/rJiAJFtKGzW35akJ/Ovnc2PkXXtYjqsMa8uJ3W8HK9WGNeUH/56yJoa0P ARC-Seal: i=1; a=rsa-sha256; t=1517256372; cv=none; d=google.com; s=arc-20160816; b=Yb/7l8tTpIU24iVYB7s8rtOolMzprc/T5I395BGOsd8o98Fs+u3Fyl3bFp26REkk8O hWEdWebWT3da+kerfcwOIQ1KUJGHxhDSGAtHJ6mAMmXEOmwE944j6vs7FbjX2cJ5FnyU mXYRRULp8T1g2Qti2K48KnvRwmSv7NcaoCwZ++p4v4H8AEwKwlIUs7/pEaoWCeTmZGxB c6gAmk/AlImAjyIrztAy7UL67YIsBhXajBvgZu6HdcgopAnov3lulaV8nbW/ohBOf3Up lxGeBUxYMjVLQLPoJO7uwP147m8QJfcZ0TdNpBpV04rgmjAQmaNUQBl8DC+sTfO62jUO VT9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=gKuquvHm3hazK7Idly6KZjOzul8yF7Q6ghJ7K5yfOCM=; b=uJ2g712h4oOJLf8cxEtefJcQWGdaeF+JcL2LGKW9JcZs4LPF9PjOk7xAeJB/8ok3Gs 3Is5Hp6UstkRuG0f/A2/JejbGFUzS2kwiUNjtkAPV/nBH7LNrghTdW2sKI9WyY0n+gU8 QW4umM2/cB6cnxS9wHh6JCWyNiPXK0SgGu0n+xE9kw2yNO/wWO2gF+5IcT07s0n1Ice1 9Jf5f9PxZEH4w2fPAWRMV5TuuETay0wZZOdlD6G9qnkz5HbFU8OVx7EvrxVzc9ubIZp9 vnTh5vZIdTHIgOVY6pcV76RAZZq56Ll0GO74sq2Tmm9hjMXkXMq4u+2cauSnLZsdH0jI l2tg== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Joe Lawrence , Mikulas Patocka , Al Viro , Jens Axboe , Michael Kerrisk , Randy Dunlap , Josh Poimboeuf , Andrew Morton , Linus Torvalds , Dong Jinguang Subject: [PATCH 3.18 08/52] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Date: Mon, 29 Jan 2018 13:56:26 +0100 Message-Id: <20180129123628.551342730@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123628.168904217@linuxfoundation.org> References: <20180129123628.168904217@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958618327931570?= X-GMAIL-MSGID: =?utf-8?q?1590958618327931570?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Joe Lawrence commit d3f14c485867cfb2e0c48aa88c41d0ef4bf5209c upstream. round_pipe_size() contains a right-bit-shift expression which may overflow, which would cause undefined results in a subsequent roundup_pow_of_two() call. static inline unsigned int round_pipe_size(unsigned int size) { unsigned long nr_pages; nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; return roundup_pow_of_two(nr_pages) << PAGE_SHIFT; } PAGE_SIZE is defined as (1UL << PAGE_SHIFT), so: - 4 bytes wide on 32-bit (0 to 0xffffffff) - 8 bytes wide on 64-bit (0 to 0xffffffffffffffff) That means that 32-bit round_pipe_size(), nr_pages may overflow to 0: size=0x00000000 nr_pages=0x0 size=0x00000001 nr_pages=0x1 size=0xfffff000 nr_pages=0xfffff size=0xfffff001 nr_pages=0x0 << ! size=0xffffffff nr_pages=0x0 << ! This is bad because roundup_pow_of_two(n) is undefined when n == 0! 64-bit is not a problem as the unsigned int size is 4 bytes wide (similar to 32-bit) and the larger, 8 byte wide unsigned long, is sufficient to handle the largest value of the bit shift expression: size=0xffffffff nr_pages=100000 Modify round_pipe_size() to return 0 if n == 0 and updates its callers to handle accordingly. Link: http://lkml.kernel.org/r/1507658689-11669-3-git-send-email-joe.lawrence@redhat.com Signed-off-by: Joe Lawrence Reported-by: Mikulas Patocka Reviewed-by: Mikulas Patocka Cc: Al Viro Cc: Jens Axboe Cc: Michael Kerrisk Cc: Randy Dunlap Cc: Josh Poimboeuf Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Dong Jinguang Signed-off-by: Greg Kroah-Hartman --- fs/pipe.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) --- a/fs/pipe.c +++ b/fs/pipe.c @@ -1002,6 +1002,9 @@ static long pipe_set_size(struct pipe_in { struct pipe_buffer *bufs; + if (!nr_pages) + return -EINVAL; + /* * We can shrink the pipe, if arg >= pipe->nrbufs. Since we don't * expect a lot of shrink+grow operations, just free and allocate @@ -1046,13 +1049,19 @@ static long pipe_set_size(struct pipe_in /* * Currently we rely on the pipe array holding a power-of-2 number - * of pages. + * of pages. Returns 0 on error. */ static inline unsigned int round_pipe_size(unsigned int size) { unsigned long nr_pages; + if (size < pipe_min_size) + size = pipe_min_size; + nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; + if (nr_pages == 0) + return 0; + return roundup_pow_of_two(nr_pages) << PAGE_SHIFT; } @@ -1063,13 +1072,18 @@ static inline unsigned int round_pipe_si int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf, size_t *lenp, loff_t *ppos) { + unsigned int rounded_pipe_max_size; int ret; ret = proc_dointvec_minmax(table, write, buf, lenp, ppos); if (ret < 0 || !write) return ret; - pipe_max_size = round_pipe_size(pipe_max_size); + rounded_pipe_max_size = round_pipe_size(pipe_max_size); + if (rounded_pipe_max_size == 0) + return -EINVAL; + + pipe_max_size = rounded_pipe_max_size; return ret; }