Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp665664rdf; Fri, 3 Nov 2023 11:09:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGVOMrHd8WNz8Xyr/ruVBq6mBfg6wqX0EhyJyfDT/imQJVjOYvqBgX3H9UhwoG/bRVlu4Mt X-Received: by 2002:a05:6a20:72a2:b0:181:7d6d:c0f1 with SMTP id o34-20020a056a2072a200b001817d6dc0f1mr7990929pzk.37.1699034951553; Fri, 03 Nov 2023 11:09:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1699034951; cv=none; d=google.com; s=arc-20160816; b=TULLKiUBobjWbZdV08ZQORezk4JEj4upWcRiXz3sG1kJk8eyROLyKi7tz/mHfRr8ij 9xT7n0/RWnLJV+ctKlz680l4wsTfX3Id18ltebo0uKx3IlKw+ZHn+18F8sijeDPpQS21 UcSfkZ+FduEEDdXl5B/7iM/56h+jedpnoo0YSq4JGb/Ok5hO+5OcUmJAhALQMJx27api 5JYSsEOjuF2MMFqPGk6AEAI/XyCkoTTI32IBnb9xnxznzFopnRvs/9aeBVL54ZGetYip 0MzvRZR3gccawentrMRx/OYDaEB2RQomBFi9KxiMDD/hruGxWkh90bpVPHDImZrflzkk olvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=eGLlL5spY81cqVy4x7DOzEYruuO1Kblfx9KL9KmbIWg=; fh=TUoEsVHqa2cSehPrCzz/hmuDZoeE70s0Wpig0l2bHFs=; b=njDdYe7ZpgzhaHBdjTJD1MpDdCJ+odlYobiSiGN7WOrKjeHTzLAuxRu2SQ7LpdU4Iy JVSmAd2gUu6X0XNJZbjlbxfoXug/WPnkLCyFo6voW7yLTMDGhrJAN2YGBjaStFP3m9Vn zD/K09aUKaWRnsV/D4ErIMXIlgD+Z0S10Gn6cDXq395dSEsg/Bh4tOGovH8sAMKHYI9F kCU7yWnUlHJafRANMHxbzX0mtVB9JqyKEM5TPEnE7fHGmoSVWkOnsjmOdvFQBU9AtlQa 9nqSTE/VyJ5gsLVFu2WAtIMrjJEWoJsr2P9gbE8pjd9X3JLczvfBno4RSFDcDcmsnOhW B2yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mUuv2rnk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id r20-20020a6560d4000000b005b4a9b2f404si1856304pgv.710.2023.11.03.11.09.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Nov 2023 11:09:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mUuv2rnk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 3B7F78313374; Fri, 3 Nov 2023 11:09:10 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232786AbjKCSJJ (ORCPT + 99 others); Fri, 3 Nov 2023 14:09:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230197AbjKCSJI (ORCPT ); Fri, 3 Nov 2023 14:09:08 -0400 Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8CE2CF; Fri, 3 Nov 2023 11:09:05 -0700 (PDT) Received: by mail-vs1-xe30.google.com with SMTP id ada2fe7eead31-45d955fcabdso354071137.0; Fri, 03 Nov 2023 11:09:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699034945; x=1699639745; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eGLlL5spY81cqVy4x7DOzEYruuO1Kblfx9KL9KmbIWg=; b=mUuv2rnkPwN5bKYLpkLIuxvyFK+hqTJoO+McpKmzCw5gD4fLls7P6LXUN0WC9hwyMk UGTtm3c4Ua7tL0g1f2+XsobRQ61F9FtiC9Tfbk6rVbOqFCag+0wngCRYsHXeZK9lvoq0 Z+IFxdZJQ+ieZW0TwYN+wZ2exCL/64/+E+czBWgqV9qbHVQ+9aFNLFc+lMRJ8tSHKJYX qteUPHjRqhoKc/2618EF3SihxOYXml6uwUK78QweWX/bI+4sY479G5Un9OS5HLeqBTGs jschS34WFR1/ozsyr9lrm07okp2jBzp7JICbB9SaaSEo01vTVJ4BOFWbRcVxbZjMN3XG rlQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699034945; x=1699639745; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eGLlL5spY81cqVy4x7DOzEYruuO1Kblfx9KL9KmbIWg=; b=QMw/+J5F1SIcMLX1352RRL9cBIZ7wa4Hs2paputBl5vg632tSjM44oLhuqLgSa5uFo i9m5EN0VR7KoqtK1FAVHn8IUaL3RhPclGas8GUHJi58MwC1RNLlERpY0iVbBP+ewA91Y WDdgmvBa0nehHETpPFAkp5/+jR1RogaRaP8b2I7jL6R2jiCOB5wes6Z5Y4txRYeedmeD tMwpoW+ApmWT1kev+OZicXE3UCvUPBdLuoSSZVZQAtRjJEgvHVS4pIvPGUzAPjrtK3DY f660kFAQwKAF5hN/g7uhQ+k68DjVBZEEEuPkalX1AlL5UqNcVQ7kAgyRMrsNT+g6M+R1 Lkvg== X-Gm-Message-State: AOJu0YzqdVMUHUtREGxN8QsRPBEKpB7pZoUn1Y1myuxsr9al6EqSCjEL uo9imq4wzcI6VyBc5KSeIKJ4sF/TAD6fCPN+z64= X-Received: by 2002:a67:a248:0:b0:45d:6d96:62f1 with SMTP id t8-20020a67a248000000b0045d6d9662f1mr4729949vsh.9.1699034944808; Fri, 03 Nov 2023 11:09:04 -0700 (PDT) MIME-Version: 1.0 References: <20231102183751.47413-1-pstanner@redhat.com> <437ec6fa34af1ccfadee2d62770e52d99ebf75c3.camel@redhat.com> In-Reply-To: <437ec6fa34af1ccfadee2d62770e52d99ebf75c3.camel@redhat.com> From: Ryusuke Konishi Date: Sat, 4 Nov 2023 03:08:48 +0900 Message-ID: Subject: Re: [PATCH] fs/nilfs2: copy userspace-array safely To: Philipp Stanner Cc: linux-nilfs@vger.kernel.org, linux-kernel@vger.kernel.org, Dave Airlie Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 03 Nov 2023 11:09:10 -0700 (PDT) On Sat, Nov 4, 2023 at 2:56=E2=80=AFAM Philipp Stanner wrote: > > On Sat, 2023-11-04 at 02:44 +0900, Ryusuke Konishi wrote: > > On Fri, Nov 3, 2023 at 3:38=E2=80=AFAM Philipp Stanner wrote: > > > > > > ioctl.c utilizes memdup_user() to copy a userspace array. This is > > > done > > > without an overflow-check. > > > > > > Use the new wrapper memdup_array_user() to copy the array more > > > safely. > > > > > > Suggested-by: Dave Airlie > > > Signed-off-by: Philipp Stanner > > > --- > > > Linus recently merged this new wrapper for Kernel v6.7 > > > > The following overflow check is performed just before the usage of > > memdup_user(): > > > > if (nsegs > UINT_MAX / sizeof(__u64)) > > goto out; > > > > This was introduced by commit 1ecd3c7ea76488 ("nilfs2: avoid > > overflowing segment numbers in nilfs_ioctl_clean_segments()") to > > avoid > > overflowing nsegs * sizeof(__u64) in the subsequent call to > > memdup_user(). > > > > I learned about memdup_array_user() this time, and it seems to check > > for overflow when multiplying two size_t arguments (i.e. the number > > of > > elements and size of the array to be copied). > > > > Since size_t is 32-bit or 64-bit depending on the architecture, I > > think the overflow check that memdup_array_user() does > > is included in the above upper limit check by UINT_MAX. > > > > So, for security reasons, I don't think this change is necessary. > > (Am > > I missing something?) > > No, I think you are right. My commit message was very generic =E2=80=93 i= t's > more about unifying array-duplication. > I should rephrase it. > > > > > In terms of cleanup, I think the clarification this patch brings is > > good, but in that case, I'm concerned about the duplication of > > overflow checks. > > Alright, so would you prefer a patch that uses memdup_array_user() and, > consequently, removes the preceding check? > > Regards, > P. Yeah. If you could revise it as a cleanup patch, I would like to adopt it for the next cycle. Regards, Ryusuke Konishi