From: Linke Li <lilinke99@foxmail.com>
To: linux-mm@kvack.org
Cc: mike.kravetz@oracle.com, muchun.song@linux.dev,
nathan@kernel.org, ndesaulniers@google.com, trix@redhat.com,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
dan.carpenter@linaro.org, Linke Li <lilinke99@gmail.com>
Subject: [PATCH v3] hugetlbfs: Fix integer overflow check in hugetlbfs_file_mmap()
Date: Thu, 20 Jul 2023 22:49:52 +0800 [thread overview]
Message-ID: <tencent_C2D6865561F23A8141BB145149ACC682B408@qq.com> (raw)
From: Linke Li <lilinke99@gmail.com>
```
vma_len = (loff_t)(vma->vm_end - vma->vm_start);
len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
/* check for overflow */
if (len < vma_len)
return -EINVAL;
```
There is a signed integer overflow in the code, which is undefined
behavior according to the C stacnard. Although this works, it's
still a bit ugly and static checkers will complain.
Using macro "check_add_overflow" to do the overflow check can
effectively detect integer overflow and avoid any undefined behavior.
Signed-off-by: Linke Li <lilinke99@gmail.com>
---
v3: fix checkpatch warning and better description.
fs/hugetlbfs/inode.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 7b17ccfa039d..326a8c0af5f6 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -154,10 +154,7 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
return -EINVAL;
- vma_len = (loff_t)(vma->vm_end - vma->vm_start);
- len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
- /* check for overflow */
- if (len < vma_len)
+ if (check_add_overflow(vma_len, (loff_t)vma->vm_pgoff << PAGE_SHIFT, &len))
return -EINVAL;
inode_lock(inode);
--
2.25.1
next reply other threads:[~2023-07-20 15:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-20 14:49 Linke Li [this message]
2023-07-20 18:41 ` [PATCH v3] hugetlbfs: Fix integer overflow check in hugetlbfs_file_mmap() Mike Kravetz
2023-07-20 19:03 ` Nick Desaulniers
2023-07-20 23:36 ` kernel test robot
2023-07-24 3:47 ` Matthew Wilcox
2023-07-24 18:59 ` Mike Kravetz
2023-07-24 8:11 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_C2D6865561F23A8141BB145149ACC682B408@qq.com \
--to=lilinke99@foxmail.com \
--cc=dan.carpenter@linaro.org \
--cc=lilinke99@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=llvm@lists.linux.dev \
--cc=mike.kravetz@oracle.com \
--cc=muchun.song@linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.