From: Axel Rasmussen <axelrasmussen@google.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Brian Geffon <bgeffon@google.com>,
Christian Brauner <brauner@kernel.org>,
David Hildenbrand <david@redhat.com>,
Gaosheng Cui <cuigaosheng1@huawei.com>,
Huang Ying <ying.huang@intel.com>,
Hugh Dickins <hughd@google.com>,
James Houghton <jthoughton@google.com>,
"Jan Alexander Steffens (heftig)" <heftig@archlinux.org>,
Jiaqi Yan <jiaqiyan@google.com>, Jonathan Corbet <corbet@lwn.net>,
Kefeng Wang <wangkefeng.wang@huawei.com>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Miaohe Lin <linmiaohe@huawei.com>,
Mike Kravetz <mike.kravetz@oracle.com>,
"Mike Rapoport (IBM)" <rppt@kernel.org>,
Muchun Song <muchun.song@linux.dev>,
Nadav Amit <namit@vmware.com>,
Naoya Horiguchi <naoya.horiguchi@nec.com>,
Peter Xu <peterx@redhat.com>, Ryan Roberts <ryan.roberts@arm.com>,
Shuah Khan <shuah@kernel.org>,
Suleiman Souhlal <suleiman@google.com>,
Suren Baghdasaryan <surenb@google.com>,
"T.J. Alumbaugh" <talumbau@google.com>,
Yu Zhao <yuzhao@google.com>, ZhangPeng <zhangpeng362@huawei.com>
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kselftest@vger.kernel.org,
Axel Rasmussen <axelrasmussen@google.com>
Subject: [PATCH v4 2/8] mm: userfaultfd: check for start + len overflow in validate_range
Date: Fri, 7 Jul 2023 14:55:34 -0700 [thread overview]
Message-ID: <20230707215540.2324998-3-axelrasmussen@google.com> (raw)
In-Reply-To: <20230707215540.2324998-1-axelrasmussen@google.com>
Most userfaultfd ioctls take a `start + len` range as an argument.
We have the validate_range helper to check that such ranges are valid.
However, some (but not all!) ioctls *also* check that `start + len`
doesn't wrap around (overflow).
Just check for this in validate_range. This saves some repetitive code,
and adds the check to some ioctls which weren't bothering to check for
it before.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
---
fs/userfaultfd.c | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 7cecd49e078b..2e84684c46f0 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1306,6 +1306,8 @@ static __always_inline int validate_range(struct mm_struct *mm,
return -EINVAL;
if (len > task_size - start)
return -EINVAL;
+ if (start + len <= start)
+ return -EINVAL;
return 0;
}
@@ -1760,14 +1762,8 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len);
if (ret)
goto out;
- /*
- * double check for wraparound just in case. copy_from_user()
- * will later check uffdio_copy.src + uffdio_copy.len to fit
- * in the userland range.
- */
+
ret = -EINVAL;
- if (uffdio_copy.src + uffdio_copy.len <= uffdio_copy.src)
- goto out;
if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
goto out;
if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP)
@@ -1927,11 +1923,6 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg)
goto out;
ret = -EINVAL;
- /* double check for wraparound just in case. */
- if (uffdio_continue.range.start + uffdio_continue.range.len <=
- uffdio_continue.range.start) {
- goto out;
- }
if (uffdio_continue.mode & ~(UFFDIO_CONTINUE_MODE_DONTWAKE |
UFFDIO_CONTINUE_MODE_WP))
goto out;
--
2.41.0.255.g8b1d071c50-goog
next prev parent reply other threads:[~2023-07-07 21:56 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-07 21:55 [PATCH v4 0/8] add UFFDIO_POISON to simulate memory poisoning with UFFD Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 1/8] mm: make PTE_MARKER_SWAPIN_ERROR more general Axel Rasmussen
2023-07-08 15:00 ` Peter Xu
2023-07-09 1:08 ` Andrew Morton
2023-07-10 17:19 ` Axel Rasmussen
2023-07-10 21:59 ` Axel Rasmussen
2023-07-07 21:55 ` Axel Rasmussen [this message]
2023-07-07 21:55 ` [PATCH v4 3/8] mm: userfaultfd: extract file size check out into a helper Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 4/8] mm: userfaultfd: add new UFFDIO_POISON ioctl Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 5/8] mm: userfaultfd: support UFFDIO_POISON for hugetlbfs Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 6/8] mm: userfaultfd: document and enable new UFFDIO_POISON feature Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 7/8] selftests/mm: refactor uffd_poll_thread to allow custom fault handlers Axel Rasmussen
2023-07-08 15:02 ` Peter Xu
2023-07-10 17:08 ` Axel Rasmussen
2023-07-07 21:55 ` [PATCH v4 8/8] selftests/mm: add uffd unit test for UFFDIO_POISON Axel Rasmussen
2023-09-21 16:28 ` Ryan Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230707215540.2324998-3-axelrasmussen@google.com \
--to=axelrasmussen@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=bgeffon@google.com \
--cc=brauner@kernel.org \
--cc=corbet@lwn.net \
--cc=cuigaosheng1@huawei.com \
--cc=david@redhat.com \
--cc=heftig@archlinux.org \
--cc=hughd@google.com \
--cc=jiaqiyan@google.com \
--cc=jthoughton@google.com \
--cc=linmiaohe@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mike.kravetz@oracle.com \
--cc=muchun.song@linux.dev \
--cc=namit@vmware.com \
--cc=naoya.horiguchi@nec.com \
--cc=peterx@redhat.com \
--cc=rppt@kernel.org \
--cc=ryan.roberts@arm.com \
--cc=shuah@kernel.org \
--cc=suleiman@google.com \
--cc=surenb@google.com \
--cc=talumbau@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wangkefeng.wang@huawei.com \
--cc=ying.huang@intel.com \
--cc=yuzhao@google.com \
--cc=zhangpeng362@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.