Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6537611imu; Wed, 14 Nov 2018 03:10:13 -0800 (PST) X-Google-Smtp-Source: AJdET5dWg/xPQM6sXdb5Ao9H5pGk3Rz9eLUslR6Al1AyCt61UgVvYD15tkmlS9ME9MmAyW+Y2ePM X-Received: by 2002:a62:4251:: with SMTP id p78-v6mr1513871pfa.72.1542193813465; Wed, 14 Nov 2018 03:10:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542193813; cv=none; d=google.com; s=arc-20160816; b=hD/b7LTujXRNz67Tq4nYqo6ef6AJ0DJ0hVOqg7Q867htn20BDZ9eg0K6txqPkzBqUf O7ymJVj9ADMsyNuWd33S831BUl7H374OAtk7zJfbpJdG5LJuE6suXPQrSx87JvKNx6i1 zi2hUyrgchI7UkjF9cqR2pTovRgHdzNeI67y+GupmHf6vN2uSbm/Hv7enJHXdBWPkeAx VDLQ2mFNlUrP+d1D5KrHkrQgHl9YXw68uHDyuuM3Vqe6wzw0i8RMN+JTy+GSgZgSPQdx rJ23l8aJGp9MwnaLGFCdrFjbNr/e8/KMfEjlfmShhGaHGzq03InCytRi7Y3+FOD+WIhm pCvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=up0m4w5zXfdVdpwqrB/dHJAn3SHnSDe0KfIhkTMpy5k=; b=YeyhJd+UAclPT2xyYQLiO8At7Z1Y9Qro/MegWi4aYag4uRh/8qOifbZgclcH+jwtKi qduzOtfn19Grx8lsg3jfdR6PK520ryBQxrYrXK2C0iQLjmIseU9doB64wxOZAfRPBakP IEHmM53pMHzAZYTSJ6CSLaCyr+RzEmksWyCy0j43vU/SNA/MZProXxenDTb5c1VaFlTZ 4SlZ83m5Slk59UXO+BWMz6z+5TaH8yyHpzrdWKagfZ1S3kIdZO5bOmEnaaORG7cdyyGI SPRBAiWKLo0iTuLynWf53zHSk/onZhrZr9QjHflOLT6sZ3yGOXxpMob6ZZdTnUOWQNFU 1TPQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3si13785244pgw.425.2018.11.14.03.09.57; Wed, 14 Nov 2018 03:10:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727663AbeKNVMK convert rfc822-to-8bit (ORCPT + 99 others); Wed, 14 Nov 2018 16:12:10 -0500 Received: from eu-smtp-delivery-151.mimecast.com ([207.82.80.151]:34486 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726823AbeKNVMJ (ORCPT ); Wed, 14 Nov 2018 16:12:09 -0500 Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-24-JnPj-GKMNu6VmkcwUuzS9A-1; Wed, 14 Nov 2018 11:09:19 +0000 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) by AcuMS.aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 14 Nov 2018 11:09:25 +0000 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Wed, 14 Nov 2018 11:09:25 +0000 From: David Laight To: 'William Kucharski' , "Isaac J. Manjarres" CC: Kees Cook , "crecklin@redhat.com" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , "psodagud@codeaurora.org" , "tsoni@codeaurora.org" , "stable@vger.kernel.org" Subject: RE: [PATCH] mm/usercopy: Use memory range to be accessed for wraparound check Thread-Topic: [PATCH] mm/usercopy: Use memory range to be accessed for wraparound check Thread-Index: AQHUfAXMm0KhA+w52Ui13XJlKrLpAaVPG7lg Date: Wed, 14 Nov 2018 11:09:25 +0000 Message-ID: <5dcd06a0f84a4824bb9bab2b437e190d@AcuMS.aculab.com> References: <1542156686-12253-1-git-send-email-isaacm@codeaurora.org> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-MC-Unique: JnPj-GKMNu6VmkcwUuzS9A-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: William Kucharski > Sent: 14 November 2018 10:35 > > > On Nov 13, 2018, at 5:51 PM, Isaac J. Manjarres wrote: > > > > diff --git a/mm/usercopy.c b/mm/usercopy.c > > index 852eb4e..0293645 100644 > > --- a/mm/usercopy.c > > +++ b/mm/usercopy.c > > @@ -151,7 +151,7 @@ static inline void check_bogus_address(const unsigned long ptr, unsigned long n, > > bool to_user) > > { > > /* Reject if object wraps past end of memory. */ > > - if (ptr + n < ptr) > > + if (ptr + (n - 1) < ptr) > > usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n); > > I'm being paranoid, but is it possible this routine could ever be passed "n" set to zero? > > If so, it will erroneously abort indicating a wrapped address as (n - 1) wraps to ULONG_MAX. > > Easily fixed via: > > if ((n != 0) && (ptr + (n - 1) < ptr)) Ugg... you don't want a double test. I'd guess that a length of zero is likely, but a usercopy that includes the highest address is going to be invalid because it is a kernel address (on most archs, and probably illegal on others). What you really want to do is add 'ptr + len' and check the carry flag. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)