From patchwork Tue Oct 4 22:59:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Borys X-Patchwork-Id: 12998763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDF70C433F5 for ; Tue, 4 Oct 2022 22:59:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229516AbiJDW7a (ORCPT ); Tue, 4 Oct 2022 18:59:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229744AbiJDW7X (ORCPT ); Tue, 4 Oct 2022 18:59:23 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4ED1D6F559; Tue, 4 Oct 2022 15:59:13 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 4D06632001FC; Tue, 4 Oct 2022 18:59:09 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 04 Oct 2022 18:59:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=fm2; t= 1664924348; x=1665010748; bh=CC96qaOa/nsq7X964xKP19I/KvoTkXtU5it mYL0RO6Y=; b=OOEZBo3ft4jv+W/Kms9V5KAin0giNQxC14PK8kFN+4kJCH7cAdj 7vAGRbgLl/Vq8yrGPfLpnx+9JlZsuSVo2afKZFp5XVLz/OyuByljGbQn/h4sQeNX tYX8ZCRcdzFTeRcXWjSDzkSCbpRrnDQofjRGzPwztr9g7MPNmZPceuSfrC+/VrCD RLpAYglJ+kABku/QXJOmrEOofymUKx2h6FXTiY6SJkIHSTUwXAgAOTYriBYpb01d VaZP+e/Dt9QKr94OZo0eEohtXrm4rzyp6vg6Mxkw99bgafTOrkhcvEVbEZSXjUSP 0Nkmi0FrRNQ91oPmSfwQd396tWClncgdIpg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1664924348; x=1665010748; bh=CC96qaOa/nsq7 X964xKP19I/KvoTkXtU5itmYL0RO6Y=; b=eZ8Fb/6tbbGKWZEAbVQAC1xBI9/42 YFF7G6Q7rEzzHmqBldWyC7r+x/H8V0gl/XkX1yrL9Xr2y+V7mITFZ/fFUwcmx8Td riAStLrYtZuxOwSjqcA3uyoZRwKV6Rq3q1Foto129j7OOhJVOBeBCTTYXYvPLcXF Fb9w+ajKZjvSVcWZ5R/HH0FL8/9J8dQiXkGYsENLRZnS+aL/732HvNuMDD0FOs9y ceJcT4rKqdP5WMPaJpcLt3PPP2AJGjByKjN1Z0XbTEBhPi5X2y8NfVFUdNz1kX7h ZE5qaj/CYQaZ8BUIUlGJZKWx0k/kWW+0xFlZSHFab12c9rd6VQ4nwHOKA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeeivddgudeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfvffhvefutgfgsehtkeertddtfeejnecuhfhrohhmpeeuohhrhihs uceosghorhihshhpsehinhhvihhsihgslhgvthhhihhnghhslhgrsgdrtghomheqnecugg ftrfgrthhtvghrnhepgfegvdeigfekvdegveeiudeliedtgfejgefflefgvdevleefieek gfeljeefkedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepsghorhihshhpsehinhhvihhsihgslhgvthhhihhnghhslhgrsgdrtghomh X-ME-Proxy: Feedback-ID: i21414460:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 4 Oct 2022 18:59:06 -0400 (EDT) Message-ID: <0d91ac79-6d84-abed-5821-4dbe59fa1a38@invisiblethingslab.com> Date: Wed, 5 Oct 2022 00:59:03 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Content-Language: en-US To: Jarkko Sakkinen , Dave Hansen , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , linux-sgx@vger.kernel.org, linux-kernel@vger.kernel.org From: Borys Cc: Reinette Chatre , =?utf-8?q?Micha=C5=82_Kowal?= =?utf-8?q?czyk?= Subject: [PATCH] x86/sgx: Add overflow check in sgx_validate_offset_length() Precedence: bulk List-ID: X-Mailing-List: linux-sgx@vger.kernel.org sgx_validate_offset_length() function verifies "offset" and "length" arguments provided by userspace, but was missing an overflow check on their addition. This code was originally introduced in commit c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES") and later refactored in commit dda03e2c331b ("x86/sgx: Create utility to validate user provided offset and length"). Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES") Signed-off-by: Borys Popławski Reviewed-by: Jarkko Sakkinen --- Applies on top of tip/x86/sgx ee56a283988d739c25d2d00ffb22707cb487ab47 arch/x86/kernel/cpu/sgx/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c index ebe79d60619f..da8b8ea6b063 100644 --- a/arch/x86/kernel/cpu/sgx/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/ioctl.c @@ -356,6 +356,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl, if (!length || !IS_ALIGNED(length, PAGE_SIZE)) return -EINVAL; + if (offset + length < offset) + return -EINVAL; + if (offset + length - PAGE_SIZE >= encl->size) return -EINVAL;