Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp129452pxk; Tue, 22 Sep 2020 21:28:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFIc+1s+LE+f9vAWjPp1DYS6LamwAX6JAzpV7BnzBL2I5DuOtPYIHHnh4Ts8CUFOQziHXF X-Received: by 2002:a17:906:faec:: with SMTP id lu44mr8265970ejb.527.1600835328235; Tue, 22 Sep 2020 21:28:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600835328; cv=none; d=google.com; s=arc-20160816; b=kgCV7T5KTMKOYrrU71+z3/s8NZ3Ge+7AlO9pOaN0QSCB44wgPzuickXVPnwHcqjNbr QqEV6/6VUtFy8YLOpFaNaX+ErDgXzy46yD4aQO1SyEDOy2GtGat2P1rKlZvvyu2P6lca S3vEgx/EnDTVjEEjt8NkUDOLldEEsiKYQtNjrWaWi5+1jqgt9g1fA5NcL5OM6UbI0Qot BtfQC962Z+bCfAwPWWQ2weOqn/cpdja7m9fYEMh1vBJCrUXv25kaK0GjAV9XeM/N9yu3 P45wmvXwIao2aZwP+26PdwNQ9rR0EPZvj1KuPbYV3p7v6BhgPY8jc/HmrEvEjfaTLY0Y wrZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Nch+8gqMtwGeT38nYFyvb0Aj+JH/pDPFgdtw7/NXxPM=; b=X6s+QxD9WW7wrgrtONbTyTYYQGLVNj65GVUwxpYzyuqJEc4QHoBAlASNqS0L4/QmPK QkyOzMWjeHZ+7GSvZAZJqw86P0iF0mpgJ0rZfTo7y2HpMTWO1vly61n/dDpICI+z95Ae YfG1wu/NaS9FRCLRMrvTHg0PLetV0e6lmeUdOudne4xtpVFvBCX9TQqIQJVgtZTQ6D6L QMwz6NZXAzt6+8i1Jap/HN1JOJPmxR5lH62QkTrQFc+pW46oMcu+AA67/T+mWUX/ULS7 vLeyvPAvY2NcsvCfysOdSzruM7IfAfJ7iM+YaGm1i1UXrOp4uqOc7hSPySN6/PTR+i7j VLZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u16si13537753eje.727.2020.09.22.21.28.08; Tue, 22 Sep 2020 21:28:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726876AbgIWE0Y (ORCPT + 99 others); Wed, 23 Sep 2020 00:26:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726448AbgIWE0X (ORCPT ); Wed, 23 Sep 2020 00:26:23 -0400 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1AEFC061755 for ; Tue, 22 Sep 2020 21:26:23 -0700 (PDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kKwM1-004Hvh-Hd; Wed, 23 Sep 2020 04:26:05 +0000 Date: Wed, 23 Sep 2020 05:26:05 +0100 From: Al Viro To: Rasmus Villemoes Cc: Andy Lutomirski , syzbot , Aleksa Sarai , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , LKML , Ingo Molnar , Peter Zijlstra , syzkaller-bugs@googlegroups.com, Thomas Gleixner , X86 ML Subject: Re: WARNING in ex_handler_uaccess Message-ID: <20200923042605.GG3421308@ZenIV.linux.org.uk> References: <000000000000762dee05af9ccd01@google.com> <20200918235528.GB3421308@ZenIV.linux.org.uk> <20200919001714.GC3421308@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 21, 2020 at 12:22:19PM +0200, Rasmus Villemoes wrote: > So, not sure how the above got triggered, but I notice there might be an > edge case in check_zeroed_user(): > > from -= align; > size += align; > > if (!user_read_access_begin(from, size)) > return -EFAULT; > > unsafe_get_user(val, (unsigned long __user *) from, err_fault); > > > Suppose size is (size_t)-3 and align is 3. What's the convention for > access_ok(whatever, 0)? Is that equivalent to access_ok(whatever, 1), or > is it always true (or $ARCH-dependent)? It's usually true... > But, AFAICT, no current caller of check_zeroed_user can end up passing > in a size that can overflow to 0. E.g. for the case at hand, size cannot > be more than SIZE_MAX-24. Might be worth slapping if (unlikely(!size)) return -EFAULT; // overflow just before user_read_access_begin() to be sure...