From patchwork Tue Mar 21 07:40:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: mawupeng X-Patchwork-Id: 13182343 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28C8CC6FD1D for ; Tue, 21 Mar 2023 07:40:53 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 710516B007D; Tue, 21 Mar 2023 03:40:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 696806B0080; Tue, 21 Mar 2023 03:40:49 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 49A276B007E; Tue, 21 Mar 2023 03:40:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 1DFB56B0080 for ; Tue, 21 Mar 2023 03:40:49 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id D9B7AA1149 for ; Tue, 21 Mar 2023 07:40:48 +0000 (UTC) X-FDA: 80592108576.23.1B4F64D Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by imf28.hostedemail.com (Postfix) with ESMTP id 68EDCC001B for ; Tue, 21 Mar 2023 07:40:46 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=none; spf=pass (imf28.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679384447; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=zBoc3jTtK3/XLmRDKY5+ft585cZDapaHhUdK2VQCt2I=; b=Vi20Dt8Gdhyg100EZEvEAwlAwiry2P+w1VDKzoRD1+TI9+Vt6odjmK18YLZDlPGEO2TQ+k vjXfqpVlKb8dF3IBpD6P/nZMGI/piMkqvOeMRnIq+/MTbdNP98UavdTQr6+6/psRAYPybA X7ZdfIi1GunRZGRBQSmAn0QyuFnHoOs= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=none; spf=pass (imf28.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679384447; a=rsa-sha256; cv=none; b=qgNNt7rAuSGYB9XJgyKqlOR8V8zYyvL/ka5j8goUZM0q41fwbQCu7q6rAIuPxFMFVcSacD Knr6CJmQiyHAswXwV28ml7Q/zRXjgF1NyQp524XAC+o2czQrUYR7X9JL9srU0lBYJUkhPN eZDO+VRxAumQAnwAzzgtoyPpm3UOtcc= Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4Pgk5S0b6tzrVn1; Tue, 21 Mar 2023 15:39:40 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Tue, 21 Mar 2023 15:40:39 +0800 From: Wupeng Ma To: , CC: , , , , Subject: [PATCH v5 0/4] Add overflow checks for several syscalls Date: Tue, 21 Mar 2023 15:40:31 +0800 Message-ID: <20230321074035.1526157-1-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: xbzmbaeik1wtwxiqeae6mfpsa5jutukr X-Rspamd-Queue-Id: 68EDCC001B X-HE-Tag: 1679384446-540696 X-HE-Meta: U2FsdGVkX197HUPIpZ+I0gR4qLwdLQqCh0KWt5mJFi4Tmaoucva8d9hp4edtDdIOZsC7eOHUN6HlepUPGT/+/Ljg9PlNvAA8hSqez9ia5av/fSpx1nK/HZRzPdvq141okw9WcJUCYWI1uiLBnJFlODpzLFPuAtDwi0YZDxzFx30+cPhUlXoSaOvRDmYcRaysN8cEVRn7OBtzmFx00dx/adbFpccahYmUaR/V9X50qKJnlhhlATphsCP7CnbHMb0mEW9OPP7W+uViYCKMCVJgcEj3aKgd1xnoUxtJqrcsBinuEa8IuGJMnod7fkeIs+EXGrBJVTuOK4IczfsX6IAWGOrTTxt/DYMFXBreDsY9VDN0ZiJYQo6daZBWNGjVp9KUYrh2KOK3XBbm3Q4jyu3Sd2aBumcvEi2lQY0ZcfEk5C/ccxyJ9Qvgwa51PqQ1GDQyWijyGQBmfgkc4oKBbd2XbjFIn5gLCxgaZNiUY4rbz3TXpshfqFfsbCpASLhBwOYxFQi/ewrLrWmCF7YvPuWTa4keynyheZJtA/Nt9W2TM3aYGL/V7mOe2fX8YLX+H9NpxdlUMRRGtfUGp+fQS7v2UFatm+jjoo1PprZgCmQybnNbg2FwCtHETwqVfhhn/5L9Ir2rePRreUjDLUW775SSh2lwfb0k+T1Nn7ylhLnqbhR6kBLOLUR2KxmI0ZzHWP7kICC9vHRTXNMyWt281bGd7hQ9sg4dbvwPty4uhAzuFC/rcxE1qXJO25Vl5z5II95KW571nfGrUUN+PNhWjtEy263F/ho+JzR9VPj6yzWtMhFS96XCSqXIUs5DbTnjd+H16GzDcH3+ZmQvmfyuiWUnKXUJw4hijIW3z918w944GdEC2D7My3EYE6I3I+Yr64at85UaBWDLRS3fDgHNWy2ubWFKFwJ4fQ8/MeOg4kSp86ekwJ3IKavddLHhjcBMZWXJWs3JkaGHNxrQ4l07M2s 0+fgf2Mp T5LUiQ16USkWfac3sLU4gWxamsiFAenMTohVUVjzYlJB0iXLzscy8plX+5UM/X1aO7c530E/GKMIpWsHhuQ3D1kzwxGA3C26vqMli9tysLu0Z2JxJUMgSO6skmAvN7NVN0EdoKbvm3/Ku9aH1SQhHoOVZ0G3cAAWcG7Mw X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Ma Wupeng While testing mlock, we have a problem if the len of mlock is ULONG_MAX. The return value of mlock is zero. But nothing will be locked since the len in do_mlock overflows to zero due to the following code in mlock: len = PAGE_ALIGN(len + (offset_in_page(start))); The same problem happens in munlock. Add new check and return -EINVAL to fix this overflowing scenarios since they are absolutely wrong. Similar logic is used to fix problems with multiple syscalls. Here is the testcases: #include #define _GNU_SOURCE #include #include #include #include #include #include #include extern int errno; int main(void) { int fd; int ret; void *addr; int size = getpagesize(); fd = open("/tmp/testfile", O_RDWR | O_CREAT); if (fd < 0) { printf("open file error! errno: %d\n", errno); return -1; } printf("open success\n"); addr = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (addr == MAP_FAILED) { printf("open file error! errno: %d\n", errno); close(fd); return -1; } printf("mmap success\n"); memset(addr, 0, size); printf("==== mlock ====\n"); ret = mlock(addr, ULONG_MAX); if (ret == -1 && errno == EINVAL) printf("mlock test passed\n"); else printf("mlock test failed, ret: %d, errno: %d\n", ret, errno); printf("==== set_mempolicy_home_node ====\n"); ret = syscall(450, addr, ULONG_MAX, 0, 0); if (ret == -1 && errno == EINVAL) printf("set_mempolicy_home_node test passed\n"); else printf("set_mempolicy_home_node test failed, ret: %d, errno: %d\n", ret, errno); printf("==== mbind ====\n"); unsigned long nodemask = 1Ul << 0; long max_node = 8 * sizeof(nodemask); ret = mbind(addr, ULONG_MAX, MPOL_BIND, &nodemask, max_node, MPOL_MF_MOVE_ALL); if (ret == -1 && errno == EINVAL) printf("mbind test passed\n"); else printf("mbind test failed, ret: %d, errno: %d\n", ret, errno); printf("==== msync ====\n"); ret = msync(addr, ULONG_MAX, MS_ASYNC); if (ret == -1 && errno == ENOMEM) printf("mbind test passed\n"); else printf("mbind test failed, ret: %d, errno: %d\n", ret, errno); munmap(mmap, size); return 0; } Changelog since V4: - send the right version of this patchset Changelog since v3[3]: - rebase to the latest master - add simple testcases Changelog since v2[2]: - modified the way of checking overflows based on Andrew's comments Changelog since v1[1]: - only check overflow rather than access_ok to keep backward-compatibility Ma Wupeng (4): mm/mlock: return EINVAL if len overflows for mlock/munlock mm/mempolicy: return EINVAL for if len overflows for set_mempolicy_home_node mm/mempolicy: return EINVAL if len overflows for mbind mm/msync: return ENOMEM if len overflows for msync mm/mempolicy.c | 18 ++++++++++++------ mm/mlock.c | 14 ++++++++++++-- mm/msync.c | 9 ++++++--- 3 files changed, 30 insertions(+), 11 deletions(-)