From patchwork Mon Mar 20 02:47:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: mawupeng X-Patchwork-Id: 13180693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4378C7619A for ; Mon, 20 Mar 2023 02:47:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B5B39900007; Sun, 19 Mar 2023 22:47:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ABE05900003; Sun, 19 Mar 2023 22:47:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 936C8900007; Sun, 19 Mar 2023 22:47:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 80893900003 for ; Sun, 19 Mar 2023 22:47:53 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 289C3C0129 for ; Mon, 20 Mar 2023 02:47:53 +0000 (UTC) X-FDA: 80587741626.16.EAB8451 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by imf10.hostedemail.com (Postfix) with ESMTP id 98E05C000F for ; Mon, 20 Mar 2023 02:47:50 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf10.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679280471; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=fhmG67kNziHMISdJI4Fr2uTETuEN2iXnWQj08VM+q1E=; b=lWJgGXOE0q0IGuAb8dkTkVWo+lrI0cz23oRKw3Oddvj5+SNZdcEhbXLNxI89BVDPbvYCL2 sfnhrXvGoHGeig3NPnVdQY/iYzQRKIJyR1E7tv2YNkFunr4WaGVQS9RV8NTOTTz6EWIGTb OzHR+UlNG5jwHuw2q4HdYUAiL1rQhvk= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf10.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679280471; a=rsa-sha256; cv=none; b=vH/trOGa7cIpYgDFWvJlVkJRotPsLQvLTOWdYk1+w0xwss/swytWxZvBXgyE/0gkSLYja5 mIVV8RZUW+MGlnVSa6tObfSlN6cqm9QQ63YnhnHRHXFx7OhHRWaLNfZZ4KsQDq1E3XNB1e 3VAeamicUQ8VIOuOOsfnKC+0GZtdhwk= Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.57]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Pfzfh69GQz9v37; Mon, 20 Mar 2023 10:47:24 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Mon, 20 Mar 2023 10:47:43 +0800 From: Wupeng Ma To: CC: , , , , , Subject: [PATCH v4 0/4] Add overflow checks for several syscalls Date: Mon, 20 Mar 2023 10:47:35 +0800 Message-ID: <20230320024739.224850-1-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 98E05C000F X-Stat-Signature: ixt6cdt1bn8puwuhp96hfbp6qgggfk3j X-Rspam-User: X-HE-Tag: 1679280470-315679 X-HE-Meta: U2FsdGVkX1+1Nob+i3TAXxKAeRXRhQ9/yZNyxrgn12f/YGqoy51jrC47Ud7ZsVbfphvGAxj0vQ1LtDMzq4+RNxre0xsxdFlgAmJr0nK3nf2JcCMX5GMAd6Ivlf83qEN4bn26lnh9zj8wgUM/HXN6gwY4v3nCm9STkiPoHlIaLgLRrsNwsUSMao59O15f6mJ+t9X/8PX4/4viKBOb7cVqbTSW2YB7Gmu8cqa18+oq3ezcMWnVxI6iUrG2YWF4H7jDKFmtf6ignbIVNTdg86WCArgssIbxeaCYs58gqOzUBZ5S/37AtiT7cAZHeDGZQi3JP8j/s3iHuahMgawOZmgt/2ksrldX8jJBTA4vAW6YEtPL5dMIWRsnX7KQI1vQPe9YffWOFuYCav9tci5Pl/EotBRf1CCtIp2WmhOw4HFtneQPD5H2BVRUIvAoVNluZuDh5m88mSUCtY2UqnktIgBpSvbUaCm+ImG9QfLj8eI04A/OCkSNQ9JuK77OkLH/TdLfjkdJg+bnEIvmJYO79tIemxlj4UPorgaDlJTY0CcQr4k++jxu9t9gflEqWlqMSdPLeAuGBtTK4wJVnCxBBPC8o62UzV6MuScqhMK9M7Yj8F8/ChCKCFnkIfOzHbbeN65nJ2JFXtX5mWQn3q6Qv8+XcQqWXB0UDM0pHOCTlr/UX9khai2iR+WYRHhHAXpI4UAfG3mzJOvGCh+/eG0I9vEGp/U2Wnv7q95qSDYJPVYtd45CH/JfekbLKm9yeofpdb4Rk1xM3x9zaIPWyLyRwXEv7NjkvHL87MhfOdjUN/faZb5sniG+M8Are08OjPC9FXhMsV9/AlhYEv7TwRhXj1fF20vvNFGAcC0+Wfv/0V7UD753Hep1evfIojJKohfg3Ht+zCm7jJuJYDrCxSLHq3Axmn9Oqu8Bd6ieUNOdq+7xymTNS3rRNsSsV0NNPcJrme2oGxSHua5hxDisyoIIJV7 gPJl4Cdq MOFv+NIeySKJGAwnFjwG1opo6vMTZ4MQP+KqVKe0/5lByaXT3IrmOGpPTP9VrbphKq51SR2VS4JKyUSxMzvqXgcKnuZvNStEJZvPQClPBKkfwLsRg64BfaGdIg/JRlvWsEUJuXtpI/tR44eQZNstckn7dzmISPWQMBg2gDtvihz7vMFNal3Dui8A+smsrtE+Oab3GvrjIpU12J57iyWy1/Hlj9FCvxzTD+iMBT5yGJR4KTtkPCqINsBEp9aAaUIhtf4Rm/pDzGXgDAyC6Vk2RXBOgCQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Ma Wupeng While testing mlock, we have a problem if the len of mlock is ULONG_MAX. The return value of mlock is zero. But nothing will be locked since the len in do_mlock overflows to zero due to the following code in mlock: len = PAGE_ALIGN(len + (offset_in_page(start))); The same problem happens in munlock. Add new check and return -EINVAL to fix this overflowing scenarios since they are absolutely wrong. Similar logic is used to fix problems with multiple syscalls. Here is the testcases: #include #define _GNU_SOURCE #include #include #include #include #include #include #include extern int errno; int main(void) { int fd; int ret; void *addr; int size = getpagesize(); fd = open("/tmp/testfile", O_RDWR | O_CREAT); if (fd < 0) { printf("open file error! errno: %d\n", errno); return -1; } printf("open success\n"); addr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (addr == MAP_FAILED) { printf("open file error! errno: %d\n", errno); close(fd); return -1; } printf("mmap success\n"); memset(addr, 0, size); printf("==== mlock ====\n"); ret = mlock(addr, ULONG_MAX); if (ret == -1 && errno == EINVAL) printf("mlock test passed\n"); else printf("mlock test failed, ret: %d, errno: %d\n", ret, errno); printf("==== set_mempolicy_home_node ====\n"); ret = syscall(450, addr, ULONG_MAX, 0, 0); if (ret == -1 && errno == EINVAL) printf("set_mempolicy_home_node test passed\n"); else printf("set_mempolicy_home_node test failed, ret: %d, errno: %d\n", ret, errno); printf("==== mbind ====\n"); unsigned long nodemask = 1Ul << 0; long max_node = 8 * sizeof(nodemask); ret = mbind(addr, ULONG_MAX, MPOL_BIND, &nodemask, max_node, MPOL_MF_MOVE_ALL); if (ret == -1 && errno == EINVAL) printf("mbind test passed\n"); else printf("mbind test failed, ret: %d, errno: %d\n", ret, errno); printf("==== msync ====\n"); ret = msync(addr, ULONG_MAX, MS_ASYNC); if (ret == -1 && errno == ENOMEM) printf("mbind test passed\n"); else printf("mbind test failed, ret: %d, errno: %d\n", ret, errno); munmap(mmap, size); return 0; } Changelog since v3[3]: - rebase to the latest master - add simple testcases Changelog since v2[2]: - modified the way of checking overflows based on Andrew's comments Changelog since v1[1]: - only check overflow rather than access_ok to keep backward-compatibility [1]: https://lore.kernel.org/lkml/20221228141701.c64add46c4b09aa17f605baf@linux-foundation.org/T/ [2]: https://lore.kernel.org/linux-mm/20230116115813.2956935-5-mawupeng1@huawei.com/T/ [3]: https://lore.kernel.org/linux-mm/de4149c7-0e6e-2035-3fb8-2f9da9633704@huawei.com/T/ Ma Wupeng (4): mm/mlock: return EINVAL if len overflows for mlock/munlock mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node mm/mempolicy: return EINVAL if len overflows for mbind mm/msync: return ENOMEM if len overflows for msync mm/mempolicy.c | 6 ++++-- mm/mlock.c | 8 ++++++++ mm/msync.c | 3 ++- 3 files changed, 14 insertions(+), 3 deletions(-)