Received: by 10.223.185.116 with SMTP id b49csp5658453wrg;
        Wed, 7 Mar 2018 16:01:37 -0800 (PST)
X-Google-Smtp-Source: AG47ELvAKB0kcWJBGhhCywvyYbEF1LdwLPS9aQauBbhYEHgKOiB3Rzk71Dlu42AOSFaeDO8wuEBj
X-Received: by 2002:a17:902:b482:: with SMTP id y2-v6mr22190088plr.49.1520467297132;
        Wed, 07 Mar 2018 16:01:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520467297; cv=none;
        d=google.com; s=arc-20160816;
        b=XqmUzOoFle8CpNDPw9P4HuzUa/i8qGeR7SbilbDNvTyw2O+Iqg1OVXJ+B3eegxEKQr
         Py5js6IDEhl+9OBp3f2opK6RW07tSKHOe3ECJSw+41HlTuphz1PRcqrO/EIao7xkv7Bs
         mY8vhDpj39ufbimEuhsgssbJcYS8h3OiQ+X8T3RDMi5f1pau9A2FK9yKOOsJ1ZsIusdr
         qlaS9+SVlFmSmdiAJ9CuG+uaftnvNUQrzdaLsEf/tPuspkHQ3wgTVEvudyZm06GBQSBX
         p0nwbbbFkEHe17WRgi1w8h2LO0L+b9Jo92TvSxAtWecvAxfZKZZW3zYmZc6D5VvNJMNl
         oJSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=NAMRaBKsZ1qfb0ZaY5OQyCMjt4WrTM9fnWYFjEqYY8Q=;
        b=qrVM/Oz8q3SzjRMaojGjmXTV8oJqVLkG3nDEG1AaIShf94z+5k2Q87GZFThHVt9N1U
         Gr5vXW3ZM5UdS8tyrC8tn1bIUTIkCZKBBcpf1twHQcA3QU7U0lRp3aqlektSIQ2P46fa
         1W21Cee581cBVGjP+Pz47z53icVqhh+wSaAbZrD4/xjBUDht69m0IzyOCD83XIZcgdCX
         duIPyDjxb053LYaUDTrqWPU+dmp6l8h55M2moA9x5s/SDagy0l4AnmfjOgUpvOSJls+1
         zaBid+rGUX2dQ3i1DuY7KBcVI4M8a6QkPVp7eJTMjN0zKbLHFEptbDEYqCTeFm1tjNy+
         mNWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=rZUggMhc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c66si14555502pfc.416.2018.03.07.16.01.22;
        Wed, 07 Mar 2018 16:01:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=rZUggMhc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755241AbeCGX7n (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Wed, 7 Mar 2018 18:59:43 -0500
Received: from aserp2120.oracle.com ([141.146.126.78]:41768 "EHLO
        aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755151AbeCGX7k (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Mar 2018 18:59:40 -0500
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
        by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w27Nv2LE164526;
        Wed, 7 Mar 2018 23:59:31 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc :
 subject : date : message-id : in-reply-to : references; s=corp-2017-10-26;
 bh=NAMRaBKsZ1qfb0ZaY5OQyCMjt4WrTM9fnWYFjEqYY8Q=;
 b=rZUggMhcbYzr2cM9FDNvMFM6PFQAbfliEBWlPq38ZVH6DdrqGIMGh84bN4DnCPw6tAlL
 6np/+30RFjf0fbT5XcbzyRHD5Iiea0E47gsN+/bR2glohsnRjlAc37IWUN5jGu6ukf1z
 F+SRQCRzXgOAWc6S7iUP0LP/obSAhScUGxHv9aTmQvRmIExqb6NimnCqewape+Qu8qKY
 0NIgWmPzhGH8BH3rZso7OiYeRquX1z8FyHUYDDPxLOXCOGm0MSc83tpGeIu3X2WbHUhv
 0gzY1AbXkiId4jQVN1oRZDHy4Poh/XRbJnXA3Pltm333Cw2T6wMt+e7SbQKpjueWphz+ AQ== 
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
        by aserp2120.oracle.com with ESMTP id 2gjt40019h-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 07 Mar 2018 23:59:31 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75])
        by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w27NxUnQ007753
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 7 Mar 2018 23:59:30 GMT
Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13])
        by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w27NxSuQ013880;
        Wed, 7 Mar 2018 23:59:29 GMT
Received: from monkey.oracle.com (/98.246.252.205)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 07 Mar 2018 15:59:28 -0800
From:   Mike Kravetz <mike.kravetz@oracle.com>
To:     linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        bugzilla-daemon@bugzilla.kernel.org
Cc:     Michal Hocko <mhocko@kernel.org>,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Hillf Danton <hillf.zj@alibaba-inc.com>,
        Nic Losby <blurbdust@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Mike Kravetz <mike.kravetz@oracle.com>
Subject: [PATCH] hugetlbfs: check for pgoff value overflow
Date:   Wed,  7 Mar 2018 15:59:23 -0800
Message-Id: <20180307235923.12469-1-mike.kravetz@oracle.com>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <20180306133135.4dc344e478d98f0e29f47698@linux-foundation.org>
References: <20180306133135.4dc344e478d98f0e29f47698@linux-foundation.org>
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8825 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1711220000 definitions=main-1803070272
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

A vma with vm_pgoff large enough to overflow a loff_t type when
converted to a byte offset can be passed via the remap_file_pages
system call.  The hugetlbfs mmap routine uses the byte offset to
calculate reservations and file size.

A sequence such as:
  mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
  remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);
will result in the following when task exits/file closed,
  kernel BUG at mm/hugetlb.c:749!
Call Trace:
  hugetlbfs_evict_inode+0x2f/0x40
  evict+0xcb/0x190
  __dentry_kill+0xcb/0x150
  __fput+0x164/0x1e0
  task_work_run+0x84/0xa0
  exit_to_usermode_loop+0x7d/0x80
  do_syscall_64+0x18b/0x190
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

The overflowed pgoff value causes hugetlbfs to try to set up a
mapping with a negative range (end < start) that leaves invalid
state which causes the BUG.

Reported-by: Nic Losby <blurbdust@gmail.com>
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
---
 fs/hugetlbfs/inode.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 8fe1b0aa2896..cb288dec5564 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -127,12 +127,13 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
 	vma->vm_ops = &hugetlb_vm_ops;
 
 	/*
-	 * Offset passed to mmap (before page shift) could have been
-	 * negative when represented as a (l)off_t.
+	 * page based offset in vm_pgoff could be sufficiently large to
+	 * overflow a (l)off_t when converted to byte offset.
 	 */
-	if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
+	if (vma->vm_pgoff && ((loff_t)vma->vm_pgoff << PAGE_SHIFT) <= 0)
 		return -EINVAL;
 
+	/* must be huge page aligned */
 	if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
 		return -EINVAL;
 
-- 
2.13.6