[PATCH v5 0/4] Add overflow checks for several syscalls

[PATCH v5 0/4] Add overflow checks for several syscalls

[Wupeng Ma]

From: Ma Wupeng <mawupeng1@huawei.com>

While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
The return value of mlock is zero. But nothing will be locked since the
len in do_mlock overflows to zero due to the following code in mlock:

  len = PAGE_ALIGN(len + (offset_in_page(start)));

The same problem happens in munlock.

Add new check and return -EINVAL to fix this overflowing scenarios since
they are absolutely wrong.

Similar logic is used to fix problems with multiple syscalls.

Here is the testcases:

  #include <stdio.h>
  #define _GNU_SOURCE
  #include <sys/mman.h>
  #include <fcntl.h>
  #include <errno.h>
  #include <unistd.h>
  #include <string.h>
  #include <limits.h>
  #include <numaif.h>
  
  extern int errno;
  int main(void)
  {
      int fd;
      int ret;
      void *addr;
      int size = getpagesize();
  
      fd = open("/tmp/testfile", O_RDWR | O_CREAT);
      if (fd < 0) {
          printf("open file error! errno: %d\n", errno);
          return -1;
      }
      printf("open success\n");
      addr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
      if (addr == MAP_FAILED) {
          printf("open file error! errno: %d\n", errno);
          close(fd);
          return -1;
      }
      printf("mmap success\n");
      memset(addr, 0, size);
  
      printf("==== mlock ====\n");
      ret = mlock(addr, ULONG_MAX);
      if (ret == -1 && errno == EINVAL)
          printf("mlock test passed\n");
      else
          printf("mlock test failed, ret: %d, errno: %d\n", ret, errno);
  
      printf("==== set_mempolicy_home_node ====\n");
      ret = syscall(450, addr, ULONG_MAX, 0, 0);
      if (ret == -1 && errno == EINVAL)
          printf("set_mempolicy_home_node test passed\n");
      else
          printf("set_mempolicy_home_node test failed, ret: %d, errno: %d\n", ret, errno);
  
      printf("==== mbind ====\n");
      unsigned long nodemask = 1Ul << 0;
      long max_node = 8 * sizeof(nodemask);
      ret = mbind(addr, ULONG_MAX, MPOL_BIND, &nodemask, max_node, MPOL_MF_MOVE_ALL);
      if (ret == -1 && errno == EINVAL)
          printf("mbind test passed\n");
      else
          printf("mbind test failed, ret: %d, errno: %d\n", ret, errno);
  
      printf("==== msync ====\n");
      ret = msync(addr, ULONG_MAX, MS_ASYNC);
      if (ret == -1 && errno == ENOMEM)
          printf("mbind test passed\n");
      else
          printf("mbind test failed, ret: %d, errno: %d\n", ret, errno);
  
      munmap(mmap, size);
  
      return 0;
  }

Changelog since V4:
- send the right version of this patchset

Changelog since v3[3]:
- rebase to the latest master
- add simple testcases

Changelog since v2[2]:
- modified the way of checking overflows based on Andrew's comments

Changelog since v1[1]:
- only check overflow rather than access_ok to keep backward-compatibility

Ma Wupeng (4):
  mm/mlock: return EINVAL if len overflows for mlock/munlock
  mm/mempolicy: return EINVAL for if len overflows for
    set_mempolicy_home_node
  mm/mempolicy: return EINVAL if len overflows for mbind
  mm/msync: return ENOMEM if len overflows for msync

 mm/mempolicy.c | 18 ++++++++++++------
 mm/mlock.c     | 14 ++++++++++++--
 mm/msync.c     |  9 ++++++---
 3 files changed, 30 insertions(+), 11 deletions(-)

-- 
2.25.1

[PATCH v5 1/4] mm/mlock: return EINVAL if len overflows for mlock/munlock

[Wupeng Ma]

From: Ma Wupeng <mawupeng1@huawei.com>

While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
The return value of mlock is zero. But nothing will be locked since the
len in do_mlock overflows to zero due to the following code in mlock:

  len = PAGE_ALIGN(len + (offset_in_page(start)));

The same problem happens in munlock.

Add new check and return -EINVAL to fix this overflowing scenarios since
they are absolutely wrong.

Return 0 early to avoid burn a bunch of cpu cycles if len == 0.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
 mm/mlock.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/mm/mlock.c b/mm/mlock.c
index 617469fce96d..247ce396bb16 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -479,8 +479,6 @@ static int apply_vma_lock_flags(unsigned long start, size_t len,
 	end = start + len;
 	if (end < start)
 		return -EINVAL;
-	if (end == start)
-		return 0;
 	vma = vma_iter_load(&vmi);
 	if (!vma)
 		return -ENOMEM;
@@ -574,7 +572,13 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
 	if (!can_do_mlock())
 		return -EPERM;
 
+	if (!len)
+		return 0;
+
 	len = PAGE_ALIGN(len + (offset_in_page(start)));
+	if (!len)
+		return -EINVAL;
+
 	start &= PAGE_MASK;
 
 	lock_limit = rlimit(RLIMIT_MEMLOCK);
@@ -634,7 +638,13 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len)
 
 	start = untagged_addr(start);
 
+	if (!len)
+		return 0;
+
 	len = PAGE_ALIGN(len + (offset_in_page(start)));
+	if (!len)
+		return -EINVAL;
+
 	start &= PAGE_MASK;
 
 	if (mmap_write_lock_killable(current->mm))
-- 
2.25.1

[PATCH v5 2/4] mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node

[Wupeng Ma]

From: Ma Wupeng <mawupeng1@huawei.com>

Check and return 0 if len == 0 at the beginning of the function.
Return -EINVAL if len overflows for set_mempolicy_home_node.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
 mm/mempolicy.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index a256a241fd1d..0a596c6cbed9 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1513,13 +1513,16 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 	if (home_node >= MAX_NUMNODES || !node_online(home_node))
 		return -EINVAL;
 
+	if (!len)
+		return 0;
+
 	len = PAGE_ALIGN(len);
-	end = start + len;
+	if (!len)
+		return -EINVAL;
 
+	end = start + len;
 	if (end < start)
 		return -EINVAL;
-	if (end == start)
-		return 0;
 	mmap_write_lock(mm);
 	for_each_vma_range(vmi, vma, end) {
 		/*
-- 
2.25.1

[PATCH v5 3/4] mm/mempolicy: return EINVAL if len overflows for mbind

[Wupeng Ma]

From: Ma Wupeng <mawupeng1@huawei.com>

Check and return 0 if len == 0 at the beginning of the function.
Return -EINVAL if len overflows for mbind.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
 mm/mempolicy.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 0a596c6cbed9..134fdc1f6c87 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1276,13 +1276,16 @@ static long do_mbind(unsigned long start, unsigned long len,
 	if (mode == MPOL_DEFAULT)
 		flags &= ~MPOL_MF_STRICT;
 
+	if (!len)
+		return 0;
+
 	len = PAGE_ALIGN(len);
-	end = start + len;
+	if (!len)
+		return -EINVAL;
 
+	end = start + len;
 	if (end < start)
 		return -EINVAL;
-	if (end == start)
-		return 0;
 
 	new = mpol_new(mode, mode_flags, nmask);
 	if (IS_ERR(new))
-- 
2.25.1

[PATCH v5 4/4] mm/msync: return ENOMEM if len overflows for msync

[Wupeng Ma]

From: Ma Wupeng <mawupeng1@huawei.com>

Check and return 0 if len == 0 at the beginning of the function.
Return -ENOMEM if len overflows for msync.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
 mm/msync.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/msync.c b/mm/msync.c
index ac4c9bfea2e7..3104c97d70d3 100644
--- a/mm/msync.c
+++ b/mm/msync.c
@@ -46,13 +46,16 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags)
 	if ((flags & MS_ASYNC) && (flags & MS_SYNC))
 		goto out;
 	error = -ENOMEM;
+	if (!len)
+		return 0;
+
 	len = (len + ~PAGE_MASK) & PAGE_MASK;
+	if (!len)
+		goto out;
+
 	end = start + len;
 	if (end < start)
 		goto out;
-	error = 0;
-	if (end == start)
-		goto out;
 	/*
 	 * If the interval [start,end) covers some unmapped address ranges,
 	 * just ignore them, but return -ENOMEM at the end. Besides, if the
-- 
2.25.1