* [PATCH v5 0/4] Add overflow checks for several syscalls
@ 2023-03-21 7:40 Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 1/4] mm/mlock: return EINVAL if len overflows for mlock/munlock Wupeng Ma
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Wupeng Ma @ 2023-03-21 7:40 UTC (permalink / raw)
To: akpm, david; +Cc: linux-mm, linux-kernel, mawupeng1, kuleshovmail, aneesh.kumar
From: Ma Wupeng <mawupeng1@huawei.com>
While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
The return value of mlock is zero. But nothing will be locked since the
len in do_mlock overflows to zero due to the following code in mlock:
len = PAGE_ALIGN(len + (offset_in_page(start)));
The same problem happens in munlock.
Add new check and return -EINVAL to fix this overflowing scenarios since
they are absolutely wrong.
Similar logic is used to fix problems with multiple syscalls.
Here is the testcases:
#include <stdio.h>
#define _GNU_SOURCE
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <limits.h>
#include <numaif.h>
extern int errno;
int main(void)
{
int fd;
int ret;
void *addr;
int size = getpagesize();
fd = open("/tmp/testfile", O_RDWR | O_CREAT);
if (fd < 0) {
printf("open file error! errno: %d\n", errno);
return -1;
}
printf("open success\n");
addr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (addr == MAP_FAILED) {
printf("open file error! errno: %d\n", errno);
close(fd);
return -1;
}
printf("mmap success\n");
memset(addr, 0, size);
printf("==== mlock ====\n");
ret = mlock(addr, ULONG_MAX);
if (ret == -1 && errno == EINVAL)
printf("mlock test passed\n");
else
printf("mlock test failed, ret: %d, errno: %d\n", ret, errno);
printf("==== set_mempolicy_home_node ====\n");
ret = syscall(450, addr, ULONG_MAX, 0, 0);
if (ret == -1 && errno == EINVAL)
printf("set_mempolicy_home_node test passed\n");
else
printf("set_mempolicy_home_node test failed, ret: %d, errno: %d\n", ret, errno);
printf("==== mbind ====\n");
unsigned long nodemask = 1Ul << 0;
long max_node = 8 * sizeof(nodemask);
ret = mbind(addr, ULONG_MAX, MPOL_BIND, &nodemask, max_node, MPOL_MF_MOVE_ALL);
if (ret == -1 && errno == EINVAL)
printf("mbind test passed\n");
else
printf("mbind test failed, ret: %d, errno: %d\n", ret, errno);
printf("==== msync ====\n");
ret = msync(addr, ULONG_MAX, MS_ASYNC);
if (ret == -1 && errno == ENOMEM)
printf("mbind test passed\n");
else
printf("mbind test failed, ret: %d, errno: %d\n", ret, errno);
munmap(mmap, size);
return 0;
}
Changelog since V4:
- send the right version of this patchset
Changelog since v3[3]:
- rebase to the latest master
- add simple testcases
Changelog since v2[2]:
- modified the way of checking overflows based on Andrew's comments
Changelog since v1[1]:
- only check overflow rather than access_ok to keep backward-compatibility
Ma Wupeng (4):
mm/mlock: return EINVAL if len overflows for mlock/munlock
mm/mempolicy: return EINVAL for if len overflows for
set_mempolicy_home_node
mm/mempolicy: return EINVAL if len overflows for mbind
mm/msync: return ENOMEM if len overflows for msync
mm/mempolicy.c | 18 ++++++++++++------
mm/mlock.c | 14 ++++++++++++--
mm/msync.c | 9 ++++++---
3 files changed, 30 insertions(+), 11 deletions(-)
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v5 1/4] mm/mlock: return EINVAL if len overflows for mlock/munlock
2023-03-21 7:40 [PATCH v5 0/4] Add overflow checks for several syscalls Wupeng Ma
@ 2023-03-21 7:40 ` Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 2/4] mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node Wupeng Ma
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Wupeng Ma @ 2023-03-21 7:40 UTC (permalink / raw)
To: akpm, david; +Cc: linux-mm, linux-kernel, mawupeng1, kuleshovmail, aneesh.kumar
From: Ma Wupeng <mawupeng1@huawei.com>
While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
The return value of mlock is zero. But nothing will be locked since the
len in do_mlock overflows to zero due to the following code in mlock:
len = PAGE_ALIGN(len + (offset_in_page(start)));
The same problem happens in munlock.
Add new check and return -EINVAL to fix this overflowing scenarios since
they are absolutely wrong.
Return 0 early to avoid burn a bunch of cpu cycles if len == 0.
Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
mm/mlock.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/mm/mlock.c b/mm/mlock.c
index 617469fce96d..247ce396bb16 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -479,8 +479,6 @@ static int apply_vma_lock_flags(unsigned long start, size_t len,
end = start + len;
if (end < start)
return -EINVAL;
- if (end == start)
- return 0;
vma = vma_iter_load(&vmi);
if (!vma)
return -ENOMEM;
@@ -574,7 +572,13 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
if (!can_do_mlock())
return -EPERM;
+ if (!len)
+ return 0;
+
len = PAGE_ALIGN(len + (offset_in_page(start)));
+ if (!len)
+ return -EINVAL;
+
start &= PAGE_MASK;
lock_limit = rlimit(RLIMIT_MEMLOCK);
@@ -634,7 +638,13 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len)
start = untagged_addr(start);
+ if (!len)
+ return 0;
+
len = PAGE_ALIGN(len + (offset_in_page(start)));
+ if (!len)
+ return -EINVAL;
+
start &= PAGE_MASK;
if (mmap_write_lock_killable(current->mm))
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v5 2/4] mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node
2023-03-21 7:40 [PATCH v5 0/4] Add overflow checks for several syscalls Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 1/4] mm/mlock: return EINVAL if len overflows for mlock/munlock Wupeng Ma
@ 2023-03-21 7:40 ` Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 3/4] mm/mempolicy: return EINVAL if len overflows for mbind Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 4/4] mm/msync: return ENOMEM if len overflows for msync Wupeng Ma
3 siblings, 0 replies; 5+ messages in thread
From: Wupeng Ma @ 2023-03-21 7:40 UTC (permalink / raw)
To: akpm, david; +Cc: linux-mm, linux-kernel, mawupeng1, kuleshovmail, aneesh.kumar
From: Ma Wupeng <mawupeng1@huawei.com>
Check and return 0 if len == 0 at the beginning of the function.
Return -EINVAL if len overflows for set_mempolicy_home_node.
Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
mm/mempolicy.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index a256a241fd1d..0a596c6cbed9 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1513,13 +1513,16 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
if (home_node >= MAX_NUMNODES || !node_online(home_node))
return -EINVAL;
+ if (!len)
+ return 0;
+
len = PAGE_ALIGN(len);
- end = start + len;
+ if (!len)
+ return -EINVAL;
+ end = start + len;
if (end < start)
return -EINVAL;
- if (end == start)
- return 0;
mmap_write_lock(mm);
for_each_vma_range(vmi, vma, end) {
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v5 3/4] mm/mempolicy: return EINVAL if len overflows for mbind
2023-03-21 7:40 [PATCH v5 0/4] Add overflow checks for several syscalls Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 1/4] mm/mlock: return EINVAL if len overflows for mlock/munlock Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 2/4] mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node Wupeng Ma
@ 2023-03-21 7:40 ` Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 4/4] mm/msync: return ENOMEM if len overflows for msync Wupeng Ma
3 siblings, 0 replies; 5+ messages in thread
From: Wupeng Ma @ 2023-03-21 7:40 UTC (permalink / raw)
To: akpm, david; +Cc: linux-mm, linux-kernel, mawupeng1, kuleshovmail, aneesh.kumar
From: Ma Wupeng <mawupeng1@huawei.com>
Check and return 0 if len == 0 at the beginning of the function.
Return -EINVAL if len overflows for mbind.
Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
mm/mempolicy.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 0a596c6cbed9..134fdc1f6c87 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1276,13 +1276,16 @@ static long do_mbind(unsigned long start, unsigned long len,
if (mode == MPOL_DEFAULT)
flags &= ~MPOL_MF_STRICT;
+ if (!len)
+ return 0;
+
len = PAGE_ALIGN(len);
- end = start + len;
+ if (!len)
+ return -EINVAL;
+ end = start + len;
if (end < start)
return -EINVAL;
- if (end == start)
- return 0;
new = mpol_new(mode, mode_flags, nmask);
if (IS_ERR(new))
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v5 4/4] mm/msync: return ENOMEM if len overflows for msync
2023-03-21 7:40 [PATCH v5 0/4] Add overflow checks for several syscalls Wupeng Ma
` (2 preceding siblings ...)
2023-03-21 7:40 ` [PATCH v5 3/4] mm/mempolicy: return EINVAL if len overflows for mbind Wupeng Ma
@ 2023-03-21 7:40 ` Wupeng Ma
3 siblings, 0 replies; 5+ messages in thread
From: Wupeng Ma @ 2023-03-21 7:40 UTC (permalink / raw)
To: akpm, david; +Cc: linux-mm, linux-kernel, mawupeng1, kuleshovmail, aneesh.kumar
From: Ma Wupeng <mawupeng1@huawei.com>
Check and return 0 if len == 0 at the beginning of the function.
Return -ENOMEM if len overflows for msync.
Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
mm/msync.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/msync.c b/mm/msync.c
index ac4c9bfea2e7..3104c97d70d3 100644
--- a/mm/msync.c
+++ b/mm/msync.c
@@ -46,13 +46,16 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags)
if ((flags & MS_ASYNC) && (flags & MS_SYNC))
goto out;
error = -ENOMEM;
+ if (!len)
+ return 0;
+
len = (len + ~PAGE_MASK) & PAGE_MASK;
+ if (!len)
+ goto out;
+
end = start + len;
if (end < start)
goto out;
- error = 0;
- if (end == start)
- goto out;
/*
* If the interval [start,end) covers some unmapped address ranges,
* just ignore them, but return -ENOMEM at the end. Besides, if the
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-03-21 7:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-21 7:40 [PATCH v5 0/4] Add overflow checks for several syscalls Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 1/4] mm/mlock: return EINVAL if len overflows for mlock/munlock Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 2/4] mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 3/4] mm/mempolicy: return EINVAL if len overflows for mbind Wupeng Ma
2023-03-21 7:40 ` [PATCH v5 4/4] mm/msync: return ENOMEM if len overflows for msync Wupeng Ma
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).