From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Andreas Christoforou <andreaschristofo@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Al Viro <viro@zeniv.linux.org.uk>, Arnd Bergmann <arnd@arndb.de>,
Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 29/37] ipc/mqueue.c: only perform resource calculation if user valid
Date: Fri, 26 Jul 2019 09:43:24 -0400 [thread overview]
Message-ID: <20190726134332.12626-29-sashal@kernel.org> (raw)
In-Reply-To: <20190726134332.12626-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ]
Andreas Christoforou reported:
UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow:
9 * 2305843009213693951 cannot be represented in type 'long int'
...
Call Trace:
mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414
evict+0x472/0x8c0 fs/inode.c:558
iput_final fs/inode.c:1547 [inline]
iput+0x51d/0x8c0 fs/inode.c:1573
mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320
mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459
vfs_mkobj+0x39e/0x580 fs/namei.c:2892
prepare_open ipc/mqueue.c:731 [inline]
do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771
Which could be triggered by:
struct mq_attr attr = {
.mq_flags = 0,
.mq_maxmsg = 9,
.mq_msgsize = 0x1fffffffffffffff,
.mq_curmsgs = 0,
};
if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1)
perror("mq_open");
mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and
preparing to return -EINVAL. During the cleanup, it calls
mqueue_evict_inode() which performed resource usage tracking math for
updating "user", before checking if there was a valid "user" at all
(which would indicate that the calculations would be sane). Instead,
delay this check to after seeing a valid "user".
The overflow was real, but the results went unused, so while the flaw is
harmless, it's noisy for kernel fuzzers, so just fix it by moving the
calculation under the non-NULL "user" where it actually gets used.
Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Andreas Christoforou <andreaschristofo@gmail.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
ipc/mqueue.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 5c0ae912f2f2..dccd4ecb786a 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -372,7 +372,6 @@ static void mqueue_evict_inode(struct inode *inode)
{
struct mqueue_inode_info *info;
struct user_struct *user;
- unsigned long mq_bytes, mq_treesize;
struct ipc_namespace *ipc_ns;
struct msg_msg *msg, *nmsg;
LIST_HEAD(tmp_msg);
@@ -395,16 +394,18 @@ static void mqueue_evict_inode(struct inode *inode)
free_msg(msg);
}
- /* Total amount of bytes accounted for the mqueue */
- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
- sizeof(struct posix_msg_tree_node);
-
- mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
- info->attr.mq_msgsize);
-
user = info->user;
if (user) {
+ unsigned long mq_bytes, mq_treesize;
+
+ /* Total amount of bytes accounted for the mqueue */
+ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
+ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
+ sizeof(struct posix_msg_tree_node);
+
+ mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
+ info->attr.mq_msgsize);
+
spin_lock(&mq_lock);
user->mq_bytes -= mq_bytes;
/*
--
2.20.1
next prev parent reply other threads:[~2019-07-26 13:44 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 13:42 [PATCH AUTOSEL 4.14 01/37] ARM: riscpc: fix DMA Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 02/37] ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 03/37] ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 04/37] ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 05/37] ftrace: Enable trampoline when rec count returns back to one Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 06/37] kernel/module.c: Only return -EEXIST for modules that have finished loading Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 07/37] MIPS: lantiq: Fix bitfield masking Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 08/37] dmaengine: rcar-dmac: Reject zero-length slave DMA requests Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 09/37] clk: tegra210: fix PLLU and PLLU_OUT1 Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 10/37] fs/adfs: super: fix use-after-free bug Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 11/37] btrfs: fix minimum number of chunk errors for DUP Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 12/37] cifs: Fix a race condition with cifs_echo_request Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 13/37] ceph: fix improper use of smp_mb__before_atomic() Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 14/37] ceph: return -ERANGE if virtual xattr value didn't fit in buffer Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 15/37] ACPI: blacklist: fix clang warning for unused DMI table Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 16/37] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 17/37] x86: kvm: avoid constant-conversion warning Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 18/37] ACPI: fix false-positive -Wuninitialized warning Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 19/37] ISDN: hfcsusb: checking idx of ep configuration Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 20/37] be2net: Signal that the device cannot transmit during reconfiguration Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 21/37] x86/apic: Silence -Wtype-limits compiler warnings Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 22/37] x86: math-emu: Hide clang warnings for 16-bit overflow Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 23/37] mm/cma.c: fail if fixed declaration can't be honored Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 24/37] coda: add error handling for fget Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 25/37] coda: fix build using bare-metal toolchain Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 26/37] uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 27/37] drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 28/37] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Sasha Levin
2019-07-26 13:43 ` Sasha Levin [this message]
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 30/37] floppy: fix div-by-zero in setup_format_params Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 31/37] floppy: fix out-of-bounds read in copy_buffer Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 32/37] xen: let alloc_xenballooned_pages() fail if not enough memory free Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 33/37] xen/pv: Fix a boot up hang revealed by int3 self test Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 34/37] x86/kvm: Don't call kvm_spurious_fault() from .fixup Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 35/37] x86/paravirt: Fix callee-saved function ELF sizes Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 36/37] x86, boot: Remove multiple copy of static function sanitize_boot_params() Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 37/37] drm/nouveau: fix memory leak in nouveau_conn_reset() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726134332.12626-29-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andreaschristofo@gmail.com \
--cc=arnd@arndb.de \
--cc=dave@stgolabs.net \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).