From: Jarkko Sakkinen <jarkko@kernel.org>
To: Borys <borysp@invisiblethingslab.com>
Cc: "Dave Hansen" <dave.hansen@linux.intel.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-sgx@vger.kernel.org, linux-kernel@vger.kernel.org,
"Reinette Chatre" <reinette.chatre@intel.com>,
"Michał Kowalczyk" <mkow@invisiblethingslab.com>
Subject: Re: [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length()
Date: Wed, 5 Oct 2022 02:15:25 +0300 [thread overview]
Message-ID: <Yzy+jUeCXpYI6QvL@kernel.org> (raw)
In-Reply-To: <0d91ac79-6d84-abed-5821-4dbe59fa1a38@invisiblethingslab.com>
On Wed, Oct 05, 2022 at 12:59:03AM +0200, Borys wrote:
> sgx_validate_offset_length() function verifies "offset" and "length"
> arguments provided by userspace, but was missing an overflow check on
> their addition.
> This code was originally introduced in commit c6d26d370767 ("x86/sgx:
> Add SGX_IOC_ENCLAVE_ADD_PAGES") and later refactored in commit
> dda03e2c331b ("x86/sgx: Create utility to validate user provided offset
> and length").
>
> Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES")
> Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
> ---
> Applies on top of tip/x86/sgx ee56a283988d739c25d2d00ffb22707cb487ab47
>
> arch/x86/kernel/cpu/sgx/ioctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
> index ebe79d60619f..da8b8ea6b063 100644
> --- a/arch/x86/kernel/cpu/sgx/ioctl.c
> +++ b/arch/x86/kernel/cpu/sgx/ioctl.c
> @@ -356,6 +356,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
> if (!length || !IS_ALIGNED(length, PAGE_SIZE))
> return -EINVAL;
>
> + if (offset + length < offset)
> + return -EINVAL;
> +
> if (offset + length - PAGE_SIZE >= encl->size)
> return -EINVAL;
>
> --
> 2.37.3
>
Thank you.
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BTW, needs:
Cc: stable@vger.kernel.org # v5.11+
BR, Jarkko
next prev parent reply other threads:[~2022-10-04 23:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-04 22:59 [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length() Borys
2022-10-04 23:15 ` Jarkko Sakkinen [this message]
2022-11-08 19:08 ` Reinette Chatre
2022-11-08 20:02 ` [tip: x86/urgent] " tip-bot2 for Borys Popławski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yzy+jUeCXpYI6QvL@kernel.org \
--to=jarkko@kernel.org \
--cc=borysp@invisiblethingslab.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mkow@invisiblethingslab.com \
--cc=reinette.chatre@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.