Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9751396rwp; Thu, 20 Jul 2023 09:09:43 -0700 (PDT) X-Google-Smtp-Source: APBJJlHElSPtt0UQnahKfIbZSfDHpOJ050sFr9sEhFtp9PPV00DK/XO+ogJXXzkoSYNqwGRrOq3w X-Received: by 2002:a17:907:271a:b0:99b:565a:77d4 with SMTP id w26-20020a170907271a00b0099b565a77d4mr1667641ejk.12.1689869382854; Thu, 20 Jul 2023 09:09:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689869382; cv=none; d=google.com; s=arc-20160816; b=soIxick6CY5uH93bhj+xVh7nHmv7VaarAlgWA0HPmPqucHZai+x5nDHgFz2TLbJR5W 8ov8NX+DFUGqqwfh7j4i8QQkMQctQ/BEk1rUBWn2poz6sYEvTHEncCtHH8DWKQddqA4S NCikz3hJ4FtcgTBv4B/Cqjrj8rRklz15sS4BkroxWFAy06l0Vdn7ibiPo+gAgdBeFHrs A2EkPBNR2DqyxrnsSK8JsRC1/KIcvbeUEOmumhuO0V97/SGRe+5DrX+n0ps8+oAjSHvC filYerPPBTLl2jksLZAGX5k5cr4FQBIdE1MY3dt1rrOXXdFmDSwRK8b5IH4xlJty3enY jUpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:date :subject:cc:to:from:message-id:dkim-signature; bh=Qcz15XReY65YdihFG7Jmx5oPpTHAUuD8Yllv8YH9M0o=; fh=ldiVf+lAKGOKeqRLfBdiIzi5WPrFO9B7rmpGu7/775g=; b=BVFX+Rhn0kmcItfN/5QImWbOJ9ktdXnc3LrWa6hSJIxohk3o1fJlnpzeuKqhcbEtMF e4jajvl4hvpVHrKxd0JUr/vksOSYnPgMhqZ0LVein1G0HxKwRtWz1A4/MmxKNL3voqTH flmdeYxrIPoSpGqOXqWFZ9xLG4hdszXv3bNNW2Z6Z+bg83o7FytVMwQ0e3EJVSlugGJw TK+zRud39AtYr/+SdBC66tOV02qOdTSx07NjYCjVKgU//3Mw5F9sbrcUufjH0bCUv14r ZaNooZUKeE7jYcvUvrCTbuaVCPnEu9W+QHnAk/EqoE5zqoLI3/5tQSaujd3QFN8l9KJ0 eMWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=IirFhtFd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id fi6-20020a170906da0600b0099b45b7c984si770003ejb.528.2023.07.20.09.09.08; Thu, 20 Jul 2023 09:09:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b=IirFhtFd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231285AbjGTOuD (ORCPT + 99 others); Thu, 20 Jul 2023 10:50:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230212AbjGTOuC (ORCPT ); Thu, 20 Jul 2023 10:50:02 -0400 Received: from out203-205-221-233.mail.qq.com (out203-205-221-233.mail.qq.com [203.205.221.233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4277CE60 for ; Thu, 20 Jul 2023 07:49:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1689864598; bh=Qcz15XReY65YdihFG7Jmx5oPpTHAUuD8Yllv8YH9M0o=; h=From:To:Cc:Subject:Date; b=IirFhtFdl9BNwuH0OPcCLSw+yozZo2YvicxzWqWW8sTU527DJB2LSwFZDJ0psxaGb zEPucDoTdvsXxIAeUGqLhxTxtOlstE8wt++rNIErEbBGD3Xxzsj8lBTUaNol9LRTsb sTNnauoFYXBJDO9zS51bSlv2mFhI9zFWZStKgOpk= Received: from linkpc.nju.edu.cn ([58.213.8.104]) by newxmesmtplogicsvrszc5-0.qq.com (NewEsmtp) with SMTP id C771E6C3; Thu, 20 Jul 2023 22:49:55 +0800 X-QQ-mid: xmsmtpt1689864595t13z8h5u9 Message-ID: X-QQ-XMAILINFO: OZZSS56D9fAjSUXlQpXDAbkBcZjcNvgtboI9mD4CSVX2bJs8NHANQ2x1u1ELe7 WK13yV3eDNEGCOyR8j4mAsv9yzxVXJckkYuIPJ08gaDljfv6hWZiKCqPWDDqvatuKB923+558zAW ebp2b5JUpQsOcbruVi9yPywy+RbH6kbZQX+Z3Xta8hfSCl0C3vd1Xsz+DJIVulP2UlHZ8QbCeITy e/1JQoE7KwRIZngya5mTfliq8Lha98Yokh22td0b4fVt9Sivf6z3xfxCQbutmPAJ+KiXimLkgQxz R5huVexGTmCKz4kSIs1L5cuOxiYfJlpalwaw8dyL7kpfkMG5SgUXdTKec69dEwXG39TJyhsPtzjf co4X2hocYHOm7/Wyls27VgiWWp78e/lVIoccb12Q9+xR/PkhwaqXc0G6N06Cs28eNmIJmwTLtXhG +d5usc+fisGdhWnu/c0lcIRolkrzVYMAJCZN6RDrXnxpPlqRw7hyfNt2ftWSY3S/K1Yn1sAUyZV0 r2P33px2RvOpEmoX3PZOd61W/AxFHNUk046MtIBt+1VwxrcnyFJhJ4FXWCY4+4eoC0dv1snN+ZCc g5XQB21HXxGaSCnAifYrMjDyY0sKzci/v0qZRgOGRFhbciI7T4KT+cufSysDg4gnLe49M3ybeN2v 3LCvYmgjCDarE1mNDl4+kh3QPYfrVGJxi5xn2fYfe4CSaHOQg2y8W40t4mTVD+Qae9FC25gYysyQ FUfw2xnIHpdrHqjdjbfEAfnY0M38tHiU1LJ/HSsqDOT0W5dHAoevnbqUDqkCN/gIp3T94ckZ87wc whDh2UQM9hUmHNViQUtqMrej+SXeUqOAnidi8kYkX8lJNgxRl1q4UgckBo/wUEkxgoU173THyEa6 dCY/CjCVB0l72tXVQhEhxGNfJHwwRwo3SRR1vKjEn38tloekLkxKflBhfjymJEZA82KyB8qDbVyb 5Styfq46VPidF5EUBC8WJh14BmtZlx+HUHB6DGdRVY90HUnEjnhv6KIM+W9js3rj0HyIKQBKs= X-QQ-XMRINFO: MPJ6Tf5t3I/ycC2BItcBVIA= From: Linke Li To: linux-mm@kvack.org Cc: mike.kravetz@oracle.com, muchun.song@linux.dev, nathan@kernel.org, ndesaulniers@google.com, trix@redhat.com, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, dan.carpenter@linaro.org, Linke Li Subject: [PATCH v3] hugetlbfs: Fix integer overflow check in hugetlbfs_file_mmap() Date: Thu, 20 Jul 2023 22:49:52 +0800 X-OQ-MSGID: <20230720144952.127328-1-lilinke99@foxmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,HELO_DYNAMIC_IPADDR,RCVD_IN_DNSWL_BLOCKED,RDNS_DYNAMIC, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linke Li ``` vma_len = (loff_t)(vma->vm_end - vma->vm_start); len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); /* check for overflow */ if (len < vma_len) return -EINVAL; ``` There is a signed integer overflow in the code, which is undefined behavior according to the C stacnard. Although this works, it's still a bit ugly and static checkers will complain. Using macro "check_add_overflow" to do the overflow check can effectively detect integer overflow and avoid any undefined behavior. Signed-off-by: Linke Li --- v3: fix checkpatch warning and better description. fs/hugetlbfs/inode.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 7b17ccfa039d..326a8c0af5f6 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -154,10 +154,7 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma) if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT)) return -EINVAL; - vma_len = (loff_t)(vma->vm_end - vma->vm_start); - len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); - /* check for overflow */ - if (len < vma_len) + if (check_add_overflow(vma_len, (loff_t)vma->vm_pgoff << PAGE_SHIFT, &len)) return -EINVAL; inode_lock(inode); -- 2.25.1