Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752362AbdF3S1U (ORCPT <rfc822;w@1wt.eu>);
        Fri, 30 Jun 2017 14:27:20 -0400
Received: from mail-pf0-f176.google.com ([209.85.192.176]:35460 "EHLO
        mail-pf0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751072AbdF3S1S (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Jun 2017 14:27:18 -0400
Date: Fri, 30 Jun 2017 11:26:11 -0700
From: =?iso-8859-1?Q?J=F6rn?= Engel <joern@purestorage.com>
To: Helge Deller <deller@gmx.de>
Cc: Hugh Dickins <hughd@google.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm: Fix overflow check in expand_upwards()
Message-ID: <20170630182611.GA11529@cork>
References: <20170629230256.GB494@cork>
 <747944b6-ffb8-14db-d574-efc03e11f2a5@gmx.de>
 <20170630073424.GA4800@ls3530>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20170630073424.GA4800@ls3530>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2334
Lines: 64

On Fri, Jun 30, 2017 at 09:34:24AM +0200, Helge Deller wrote:
> 
> I see there are some architectures which define TASK_SIZE not as
> multiple of PAGE_SIZE and as 0xffffffff for which the (address >=
> TASK_SIZE) check will not trigger:
> 
> arch/arm/include/asm/memory.h:#define TASK_SIZE         UL(0xffffffff)
> arch/frv/include/asm/mem-layout.h:#define TASK_SIZE                     __UL(0xFFFFFFFFUL)
> arch/m68k/include/asm/processor.h:#define TASK_SIZE     (0xFFFFFFFFUL)
> arch/blackfin/include/asm/processor.h:#define TASK_SIZE 0xFFFFFFFF
> arch/h8300/include/asm/processor.h:#define TASK_SIZE    (0xFFFFFFFFUL)
> arch/xtensa/include/asm/processor.h:#define TASK_SIZE   __XTENSA_UL_CONST(0xffffffff)
> 
> None of those have an upwards growing stack and thus I believe we don't
> run into issues, but nevertheless the checks could probably be changed
> like this (untested patch):

That would also work.  I have no preference which patch to use.

> diff --git a/mm/mmap.c b/mm/mmap.c
> index a5e3dcd..224bdc2 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -2224,15 +2224,17 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
>  {
>  	struct mm_struct *mm = vma->vm_mm;
>  	struct vm_area_struct *next;
> -	unsigned long gap_addr;
> +	unsigned long gap_addr, max_task_size;
>  	int error = 0;
>  
>  	if (!(vma->vm_flags & VM_GROWSUP))
>  		return -EFAULT;
>  
> +	max_task_size = TASK_SIZE & PAGE_MASK;
> +
>  	/* Guard against exceeding limits of the address space. */
>  	address &= PAGE_MASK;
> -	if (address >= TASK_SIZE)
> +	if (address >= max_task_size)
>  		return -ENOMEM;
>  	address += PAGE_SIZE;
>  
> @@ -2240,8 +2242,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
>  	gap_addr = address + stack_guard_gap;
>  
>  	/* Guard against overflow */
> -	if (gap_addr < address || gap_addr > TASK_SIZE)
> -		gap_addr = TASK_SIZE;
> +	if (gap_addr < address || gap_addr > max_task_size)
> +		gap_addr = max_task_size;
>  
>  	next = vma->vm_next;
>  	if (next && next->vm_start < gap_addr) {
> 
> Helge

J?rn

--
You cannot suppose that Moliere ever troubled himself to be original in the
matter of ideas. You cannot suppose that the stories he tells in his plays
have never been told before. They were culled, as you very well know.
-- Andre-Louis Moreau in Scarabouche