Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp1265293rwp; Thu, 13 Jul 2023 08:25:36 -0700 (PDT) X-Google-Smtp-Source: APBJJlH9bE6KLWXY+T3g44AhjxonbBrMKUPS7Is0Z6J3+CCSUfrGbMO5FeVADu5ePRaeTVzHULtF X-Received: by 2002:aa7:d148:0:b0:51d:9605:28fd with SMTP id r8-20020aa7d148000000b0051d960528fdmr1845585edo.26.1689261936566; Thu, 13 Jul 2023 08:25:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689261936; cv=none; d=google.com; s=arc-20160816; b=nK+5JqbYhyQJPNchqSD2RyCkOrtSi9WbEQoQzNLpskHI7nj0we5ZPzE82Cy06PsHew oa7/hS/5oKx22LnhvgxfC2Fjo09Bi7ncX3g88IppYBTHd2RF7LTESVc7bEpUuGuPa6KF ZZEnHsQwpAMw5NKbIjD/HjSjB6d2ig3QoX8pCXtKgNgazOyXFY9fvdEOFjJkZqbQfgyM CX8pe24XntJbrulmxvZ1ZGYNnDCv5uP4fj1PKEhBl70OAGTuF9x5WEBkJsiCGnilNoWk c9cSPpJ3EgiLdoo07UNKaodTyTT/ZbKWIltk27IrvnbeXg5JKi6GuzXMDFDlddLJHjS5 JVRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Kbh8/8YR2OYwgBsozxXjeHWBOMoncqGng7RkrjUyFwA=; fh=GlO48uEh3BxTQxUodJM6YCPIdvQjnALAlOCTx4eTcPo=; b=uDUPnjoiCvuSecCgUP5d8UAqfJIwQoqAbTbhb60mCT03rsB4a1nVT+VH3bcfQITF7h AtLHpnxUat/cS8hZQVh8wzlppBV/SyMfbeRmWimM/jCvE0YlEXZGqSgfOgyfCxKCrFpO AFlG5siNWHbVCRZkWfw2KoLhkmqzlSHizpG0CRVcSiHq5AYnE0H3MV8YSrRB8kpoKLl+ HiKjQZQrfO9RPxk82V4R7AlhxoA3m5eWsa6A4VYUO6cvm51xJbnCaPdXVQHaKo0KuzbL 2V81Ba4pOwP7HUuyjeMRTQM1ELSZNIA48aprbk/dvR7baJTVDdfYmhvsZ9BQlFYLiGJQ NbVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mn1AOQAB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r12-20020aa7cfcc000000b005149e1735bcsi7368322edy.33.2023.07.13.08.25.12; Thu, 13 Jul 2023 08:25:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mn1AOQAB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232983AbjGMPKU (ORCPT + 99 others); Thu, 13 Jul 2023 11:10:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232911AbjGMPKR (ORCPT ); Thu, 13 Jul 2023 11:10:17 -0400 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD68719B for ; Thu, 13 Jul 2023 08:10:15 -0700 (PDT) Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-3fc03aa6e04so7571965e9.2 for ; Thu, 13 Jul 2023 08:10:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1689261014; x=1691853014; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Kbh8/8YR2OYwgBsozxXjeHWBOMoncqGng7RkrjUyFwA=; b=mn1AOQABIhLQtgpaF09UwJ9IIzomZ6nEQcprYyn2FRSn4Y90dqBbK6CJg8iWhXUY49 fpxZFnAS90xWFVmKfTfkCItAJHos9W59gwcdDVqhsPuTJXrekbubqjym0xZFetMFRRct CZ5ySetSCy3vTd9EvK1enjtjdsraEoqAbP3FSY7h9XBHXHgHI7ta9ah5Xc5tvmkOBZZP 0Kk/jxK2PRHtNDyXojHbclN64FXzJ4gW4TWpXrCl/SWV3a879SatabcK5DjwX4NMCm1X LZjpAE17IWkIeKlBS76Z10TVZ6zU51CKeL9ujqSpPxRTl+f3bs16L3CNDPcd+HxY1Tlb jBhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689261014; x=1691853014; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Kbh8/8YR2OYwgBsozxXjeHWBOMoncqGng7RkrjUyFwA=; b=OuZMnCvcLDEPQ6V6zU/IG0EmWVCM/xR0ADS4dRccMVNue31Bk9ee9axtnGYGePV6hM GpIOu+xovszPwY96KNUeUnQ7DvwXfB6pbPX54dH5OAHlCMi+uByjvVz3u6UsMCOcMbDu Aa2Ak00wDmyWtv15PQTP1sS/xIwisirBAli5Dw3MWu/gZCUxu+b+rtptz6rLduzjzmzU p8VYvsvZUOhuuKGUhVR1oc/OrYGgFCpo0xauoz8ZwNDNbbdqlfEko5uDbx9NvUFUxaN4 mJOPy9DLbrN7XwAVioCnlbJGHRTA//wNyuf73rbzT49W4mxRwciURcwIvzXG3mP7MUln 8iow== X-Gm-Message-State: ABy/qLbeC/2NHhYxAEGDjBq0ys/YxaxyGDuzOCneu+uoJm5p7MAsAPVk WAmciV3+NuBF7oOXofc46/4ymw== X-Received: by 2002:a05:600c:acd:b0:3fc:b86:d3fa with SMTP id c13-20020a05600c0acd00b003fc0b86d3famr1679806wmr.1.1689261014235; Thu, 13 Jul 2023 08:10:14 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id p11-20020a1c740b000000b003fbe36a4ce6sm18534778wmc.10.2023.07.13.08.10.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 08:10:12 -0700 (PDT) Date: Thu, 13 Jul 2023 18:10:08 +0300 From: Dan Carpenter To: linke li Cc: Mike Kravetz , David Hildenbrand , Linke Li , linux-mm@kvack.org, llvm@lists.linux.dev, linux-kernel@vger.kernel.org, trix@redhat.com, ndesaulniers@google.com, nathan@kernel.org, muchun.song@linux.dev Subject: Re: [PATCH] hugetlbfs: Fix integer overflow check in hugetlbfs_file_mmap() Message-ID: <6c3191e1-23fd-4f9e-9b5e-321c51599897@moroto.mountain> References: <65f4c60a-9534-56dc-099f-ee7a96e0ccaf@redhat.com> <20230712235813.GE6354@monkey> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 13, 2023 at 03:57:00PM +0800, linke li wrote: > > However, if this is a real issue it would make more > > sense to look for and change all such checks rather than one single occurrence. > > Hi, Mike. I have checked the example code you provided, and the > difference between > those codes and the patched code is that those checks are checks for > unsigned integer > overflow, which is well-defined. Only undefined behavior poses a > security risk. So they > don't need any modifications. I have only found one occurrence of > signed number > overflow so far. I used to have a similar check to that but I eventually deleted it because I decided that the -fno-strict-overflow option works. It didn't produce a lot of warnings. Historically we have done a bad job at open coding integer overflow checks. Some that I wrote turned out to be incorrect. And even when I write them correctly a couple times people have "fixed" them even harder without CCing me or asking me why I wrote them the way I did. What about using the check_add_overflow() macro? diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 7b17ccfa039d..c512165736e0 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -155,9 +155,8 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma) return -EINVAL; vma_len = (loff_t)(vma->vm_end - vma->vm_start); - len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); - /* check for overflow */ - if (len < vma_len) + if (check_add_overflow(vma_len, (loff_t)vma->vm_pgoff << PAGE_SHIFT, + &len)) return -EINVAL; inode_lock(inode);