Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp2759331ybh; Mon, 5 Aug 2019 06:24:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqyWj+3wHyoH4B+zMqtaYX5M7GJxVqazfwPWQ0txnr4Fb80jDhsXzZ+1p7HjfwP44Xi2qRWy X-Received: by 2002:a63:7a06:: with SMTP id v6mr21045503pgc.115.1565011463184; Mon, 05 Aug 2019 06:24:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565011463; cv=none; d=google.com; s=arc-20160816; b=fmE9q96KsJcBrbEleVekrMn6ix3ux1xexhhCJ8yIXipXsRJ6P76/rx7GZerU8pk4LV vb2QH0B12cB+UZk1zxiYSvjNjVKR7YgR3f+WN9k97OLcAQC6XXWTsX8z/Zuo7hR+Reon L5sTUvY7S7vu28B90wjO2yONiigCFH5oI1hbewNIbac5DRE+q9LqK8cPlccigKDcF075 CwUiVB8vpTvvvCQHBeneQ4/XBpObjTEMl463AD6mSaB0z3cFKm96PEq+aBtiELHLufdv ksRWZTVUvpJmD+GPRhbTqzOKtkE2D4cXyQ0F7oT0mJZDyW/RqYeBv+RGrN5r8VZKYbIu DFWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sHGL18vx2899TS4lM3e5PKyNsiEEHUnHgsQ2d+v9v28=; b=aYK7hezbwb2jLSK7QkPL6vB5fxAYY9h9ADPmGEPvDI02slxS5x1Q8VpvE6VV1gQQlE UkFnYTt1Eus/rxbrctnR4aG8BGZ5nuwXuTEjBgJjMbxcXy8jD66sX32t99RjJ+jqeMfA 0XteOG4MoQZILGJIyb/CJrLtasLEIbL0aMVOA5+Y6ATj7j8JAq6DXSlSHrrqanrUDsTH zRv2SemolUqBgMwoq7UHZ5NnO2r6+/42ZyHHgrD8vVd6r8RfPakaAtCXCCnAMO4jPFH2 MYIey4CUcff6CEGs34gQVC4E1gohcG5rlosjRwBUIVEQV6c2ePrkBzxQWYPBaJaBDP96 liAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Nc+iIZoV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 145si43792791pfb.262.2019.08.05.06.24.07; Mon, 05 Aug 2019 06:24:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Nc+iIZoV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730718AbfHENWn (ORCPT + 99 others); Mon, 5 Aug 2019 09:22:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:59096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730434AbfHENWg (ORCPT ); Mon, 5 Aug 2019 09:22:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 404A9216B7; Mon, 5 Aug 2019 13:22:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565011354; bh=seF0PILUTmmVA/4wqivh3/hSdhFRWQkndEHhniBn9kw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Nc+iIZoVJrrN07HWrzMqy/6wsBVgw1UezqcnVdXt1uZvy8DxU3TqDft1KW0PNfre0 01Vh133fw6pDBQ0H8tf7Q9I5TpC+pfL8boKtD4DEgIAQqpSVRDX5jzMBx9aGSm5k0t 4lhdxS2xch17XpOv1ZrL20rq8B3AeFoa7OexqnlA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Andreas Christoforou , "Eric W. Biederman" , Al Viro , Arnd Bergmann , Davidlohr Bueso , Manfred Spraul , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 5.2 061/131] ipc/mqueue.c: only perform resource calculation if user valid Date: Mon, 5 Aug 2019 15:02:28 +0200 Message-Id: <20190805124955.513765459@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190805124951.453337465@linuxfoundation.org> References: <20190805124951.453337465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ] Andreas Christoforou reported: UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: 9 * 2305843009213693951 cannot be represented in type 'long int' ... Call Trace: mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 evict+0x472/0x8c0 fs/inode.c:558 iput_final fs/inode.c:1547 [inline] iput+0x51d/0x8c0 fs/inode.c:1573 mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 vfs_mkobj+0x39e/0x580 fs/namei.c:2892 prepare_open ipc/mqueue.c:731 [inline] do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 Which could be triggered by: struct mq_attr attr = { .mq_flags = 0, .mq_maxmsg = 9, .mq_msgsize = 0x1fffffffffffffff, .mq_curmsgs = 0, }; if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) perror("mq_open"); mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and preparing to return -EINVAL. During the cleanup, it calls mqueue_evict_inode() which performed resource usage tracking math for updating "user", before checking if there was a valid "user" at all (which would indicate that the calculations would be sane). Instead, delay this check to after seeing a valid "user". The overflow was real, but the results went unused, so while the flaw is harmless, it's noisy for kernel fuzzers, so just fix it by moving the calculation under the non-NULL "user" where it actually gets used. Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook Signed-off-by: Kees Cook Reported-by: Andreas Christoforou Acked-by: "Eric W. Biederman" Cc: Al Viro Cc: Arnd Bergmann Cc: Davidlohr Bueso Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- ipc/mqueue.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/ipc/mqueue.c b/ipc/mqueue.c index 216cad1ff0d0c..65c351564ad08 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -438,7 +438,6 @@ static void mqueue_evict_inode(struct inode *inode) { struct mqueue_inode_info *info; struct user_struct *user; - unsigned long mq_bytes, mq_treesize; struct ipc_namespace *ipc_ns; struct msg_msg *msg, *nmsg; LIST_HEAD(tmp_msg); @@ -461,16 +460,18 @@ static void mqueue_evict_inode(struct inode *inode) free_msg(msg); } - /* Total amount of bytes accounted for the mqueue */ - mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + - min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * - sizeof(struct posix_msg_tree_node); - - mq_bytes = mq_treesize + (info->attr.mq_maxmsg * - info->attr.mq_msgsize); - user = info->user; if (user) { + unsigned long mq_bytes, mq_treesize; + + /* Total amount of bytes accounted for the mqueue */ + mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + + min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * + sizeof(struct posix_msg_tree_node); + + mq_bytes = mq_treesize + (info->attr.mq_maxmsg * + info->attr.mq_msgsize); + spin_lock(&mq_lock); user->mq_bytes -= mq_bytes; /* -- 2.20.1