| Message ID | 20221205034108.3365182-2-mawupeng1@huawei.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | return EINVAL for illegal user memory range | expand |
On 2022/12/5 11:41, Wupeng Ma wrote: > From: Ma Wupeng <mawupeng1@huawei.com> > > While testing mlock, we have a problem if the len of mlock is ULONG_MAX. > The return value of mlock is zero. But nothing will be locked since the > len in do_mlock overflows to zero due to the following code in mlock: > > len = PAGE_ALIGN(len + (offset_in_page(start))); > > The same problem happens in munlock. > > Since TASK_SIZE is the maximum user space address. The start or len of > mlock shouldn't be bigger than this. Function access_ok can be used to > check this issue, so return -EINVAL if bigger. > > Signed-off-by: Ma Wupeng <mawupeng1@huawei.com> > --- > mm/mlock.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/mm/mlock.c b/mm/mlock.c > index 7032f6dd0ce1..b9422a62a4cf 100644 > --- a/mm/mlock.c > +++ b/mm/mlock.c > @@ -575,6 +575,9 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla > if (!can_do_mlock()) > return -EPERM; > > + if (unlikely(!access_ok((void __user *)start, len))) > + return -EINVAL; When we are runing ltp testcase, a error occurs on mlock[1]. It seems that ENOMEN is expencted for this testcase. In the manual of mlock[2] ENOMEM (mlock(), mlock2(), and munlock()) Some of the specified address range does not correspond to mapped pages in the address space of the process. ENOMEM seem more appropriate for this situation? [1] https://github.com/linux-test-project/ltp/blob/20220930/testcases/open_posix_testsuite/conformance/interfaces/mlock/8-1.c [2] https://man7.org/linux/man-pages/man2/mlock.2.html > + > len = PAGE_ALIGN(len + (offset_in_page(start))); > start &= PAGE_MASK; > > @@ -635,6 +638,9 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len) > > start = untagged_addr(start); > > + if (unlikely(!access_ok((void __user *)start, len))) > + return -EINVAL; > + > len = PAGE_ALIGN(len + (offset_in_page(start))); > start &= PAGE_MASK; >
On Mon, 5 Dec 2022 11:41:05 +0800 Wupeng Ma <mawupeng1@huawei.com> wrote: > While testing mlock, we have a problem if the len of mlock is ULONG_MAX. > The return value of mlock is zero. But nothing will be locked since the > len in do_mlock overflows to zero due to the following code in mlock: > > len = PAGE_ALIGN(len + (offset_in_page(start))); > > The same problem happens in munlock. > > Since TASK_SIZE is the maximum user space address. The start or len of > mlock shouldn't be bigger than this. Function access_ok can be used to > check this issue, so return -EINVAL if bigger. What happens if userspace uses a value somewhat smaller than ULONG_MAX? mlock(addr, ULONG_MAX - 1000000); ? Because if the above works successfully and if it no longer works successfully with this patchset then that could be a backward-compatibility problem.
On 2022/12/29 6:17, Andrew Morton wrote: > On Mon, 5 Dec 2022 11:41:05 +0800 Wupeng Ma <mawupeng1@huawei.com> wrote: > >> While testing mlock, we have a problem if the len of mlock is ULONG_MAX. >> The return value of mlock is zero. But nothing will be locked since the >> len in do_mlock overflows to zero due to the following code in mlock: >> >> len = PAGE_ALIGN(len + (offset_in_page(start))); >> >> The same problem happens in munlock. >> >> Since TASK_SIZE is the maximum user space address. The start or len of >> mlock shouldn't be bigger than this. Function access_ok can be used to >> check this issue, so return -EINVAL if bigger. > > What happens if userspace uses a value somewhat smaller than ULONG_MAX? > > mlock(addr, ULONG_MAX - 1000000); > > ? > > Because if the above works successfully and if it no longer works > successfully with this patchset then that could be a > backward-compatibility problem. For mlock: mlock(addr, ULONG_MAX - 1000000) will ret -1 and the errno is EINVAL(22) due to the following call trace. do_mlock apply_vma_lock_flags end = start + len; if (end < start) return -EINVAL; Just like you said, we need to keep backward-compatibility. Maybe we can only catch and fix the overflowing scenarios since they are absolutely wrong. here is the diff: diff --git a/mm/mlock.c b/mm/mlock.c index 7032f6dd0ce1..fd5e857ab245 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -569,6 +569,7 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla unsigned long locked; unsigned long lock_limit; int error = -ENOMEM; + size_t old_len = len; start = untagged_addr(start); @@ -578,6 +579,9 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla len = PAGE_ALIGN(len + (offset_in_page(start))); start &= PAGE_MASK; + if (old_len != 0 && len == 0) + return -EINVAL; + lock_limit = rlimit(RLIMIT_MEMLOCK); lock_limit >>= PAGE_SHIFT; locked = len >> PAGE_SHIFT; >
diff --git a/mm/mlock.c b/mm/mlock.c index 7032f6dd0ce1..b9422a62a4cf 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -575,6 +575,9 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla if (!can_do_mlock()) return -EPERM; + if (unlikely(!access_ok((void __user *)start, len))) + return -EINVAL; + len = PAGE_ALIGN(len + (offset_in_page(start))); start &= PAGE_MASK; @@ -635,6 +638,9 @@ SYSCALL_DEFINE2(munlock, unsigned long, start, size_t, len) start = untagged_addr(start); + if (unlikely(!access_ok((void __user *)start, len))) + return -EINVAL; + len = PAGE_ALIGN(len + (offset_in_page(start))); start &= PAGE_MASK;