2023-03-21 07:41:04

by mawupeng

[permalink] [raw]
Subject: [PATCH v5 0/4] Add overflow checks for several syscalls

From: Ma Wupeng <[email protected]>

While testing mlock, we have a problem if the len of mlock is ULONG_MAX.
The return value of mlock is zero. But nothing will be locked since the
len in do_mlock overflows to zero due to the following code in mlock:

len = PAGE_ALIGN(len + (offset_in_page(start)));

The same problem happens in munlock.

Add new check and return -EINVAL to fix this overflowing scenarios since
they are absolutely wrong.

Similar logic is used to fix problems with multiple syscalls.

Here is the testcases:

#include <stdio.h>
#define _GNU_SOURCE
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <limits.h>
#include <numaif.h>

extern int errno;
int main(void)
{
int fd;
int ret;
void *addr;
int size = getpagesize();

fd = open("/tmp/testfile", O_RDWR | O_CREAT);
if (fd < 0) {
printf("open file error! errno: %d\n", errno);
return -1;
}
printf("open success\n");
addr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (addr == MAP_FAILED) {
printf("open file error! errno: %d\n", errno);
close(fd);
return -1;
}
printf("mmap success\n");
memset(addr, 0, size);

printf("==== mlock ====\n");
ret = mlock(addr, ULONG_MAX);
if (ret == -1 && errno == EINVAL)
printf("mlock test passed\n");
else
printf("mlock test failed, ret: %d, errno: %d\n", ret, errno);

printf("==== set_mempolicy_home_node ====\n");
ret = syscall(450, addr, ULONG_MAX, 0, 0);
if (ret == -1 && errno == EINVAL)
printf("set_mempolicy_home_node test passed\n");
else
printf("set_mempolicy_home_node test failed, ret: %d, errno: %d\n", ret, errno);

printf("==== mbind ====\n");
unsigned long nodemask = 1Ul << 0;
long max_node = 8 * sizeof(nodemask);
ret = mbind(addr, ULONG_MAX, MPOL_BIND, &nodemask, max_node, MPOL_MF_MOVE_ALL);
if (ret == -1 && errno == EINVAL)
printf("mbind test passed\n");
else
printf("mbind test failed, ret: %d, errno: %d\n", ret, errno);

printf("==== msync ====\n");
ret = msync(addr, ULONG_MAX, MS_ASYNC);
if (ret == -1 && errno == ENOMEM)
printf("mbind test passed\n");
else
printf("mbind test failed, ret: %d, errno: %d\n", ret, errno);

munmap(mmap, size);

return 0;
}

Changelog since V4:
- send the right version of this patchset

Changelog since v3[3]:
- rebase to the latest master
- add simple testcases

Changelog since v2[2]:
- modified the way of checking overflows based on Andrew's comments

Changelog since v1[1]:
- only check overflow rather than access_ok to keep backward-compatibility

Ma Wupeng (4):
mm/mlock: return EINVAL if len overflows for mlock/munlock
mm/mempolicy: return EINVAL for if len overflows for
set_mempolicy_home_node
mm/mempolicy: return EINVAL if len overflows for mbind
mm/msync: return ENOMEM if len overflows for msync

mm/mempolicy.c | 18 ++++++++++++------
mm/mlock.c | 14 ++++++++++++--
mm/msync.c | 9 ++++++---
3 files changed, 30 insertions(+), 11 deletions(-)

--
2.25.1



2023-03-21 07:41:08

by mawupeng

[permalink] [raw]
Subject: [PATCH v5 2/4] mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node

From: Ma Wupeng <[email protected]>

Check and return 0 if len == 0 at the beginning of the function.
Return -EINVAL if len overflows for set_mempolicy_home_node.

Signed-off-by: Ma Wupeng <[email protected]>
---
mm/mempolicy.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index a256a241fd1d..0a596c6cbed9 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1513,13 +1513,16 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
if (home_node >= MAX_NUMNODES || !node_online(home_node))
return -EINVAL;

+ if (!len)
+ return 0;
+
len = PAGE_ALIGN(len);
- end = start + len;
+ if (!len)
+ return -EINVAL;

+ end = start + len;
if (end < start)
return -EINVAL;
- if (end == start)
- return 0;
mmap_write_lock(mm);
for_each_vma_range(vmi, vma, end) {
/*
--
2.25.1


2023-03-21 07:41:11

by mawupeng

[permalink] [raw]
Subject: [PATCH v5 3/4] mm/mempolicy: return EINVAL if len overflows for mbind

From: Ma Wupeng <[email protected]>

Check and return 0 if len == 0 at the beginning of the function.
Return -EINVAL if len overflows for mbind.

Signed-off-by: Ma Wupeng <[email protected]>
---
mm/mempolicy.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 0a596c6cbed9..134fdc1f6c87 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1276,13 +1276,16 @@ static long do_mbind(unsigned long start, unsigned long len,
if (mode == MPOL_DEFAULT)
flags &= ~MPOL_MF_STRICT;

+ if (!len)
+ return 0;
+
len = PAGE_ALIGN(len);
- end = start + len;
+ if (!len)
+ return -EINVAL;

+ end = start + len;
if (end < start)
return -EINVAL;
- if (end == start)
- return 0;

new = mpol_new(mode, mode_flags, nmask);
if (IS_ERR(new))
--
2.25.1


2023-03-21 07:41:14

by mawupeng

[permalink] [raw]
Subject: [PATCH v5 4/4] mm/msync: return ENOMEM if len overflows for msync

From: Ma Wupeng <[email protected]>

Check and return 0 if len == 0 at the beginning of the function.
Return -ENOMEM if len overflows for msync.

Signed-off-by: Ma Wupeng <[email protected]>
---
mm/msync.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/msync.c b/mm/msync.c
index ac4c9bfea2e7..3104c97d70d3 100644
--- a/mm/msync.c
+++ b/mm/msync.c
@@ -46,13 +46,16 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags)
if ((flags & MS_ASYNC) && (flags & MS_SYNC))
goto out;
error = -ENOMEM;
+ if (!len)
+ return 0;
+
len = (len + ~PAGE_MASK) & PAGE_MASK;
+ if (!len)
+ goto out;
+
end = start + len;
if (end < start)
goto out;
- error = 0;
- if (end == start)
- goto out;
/*
* If the interval [start,end) covers some unmapped address ranges,
* just ignore them, but return -ENOMEM at the end. Besides, if the
--
2.25.1