On 10/30/24 7:58 AM, Dan Carpenter wrote:
> On Wed, Oct 30, 2024 at 07:22:49AM -0600, Jens Axboe wrote:
>> On 10/30/24 5:40 AM, Dan Carpenter wrote:
>>> Hello Jens Axboe,
>>>
>>> Commit 4b926ab18279 ("io_uring: add support for fixed wait regions")
>>> from Oct 22, 2024 (linux-next), leads to the following Smatch static
>>> checker warning:
>>>
>>> io_uring/register.c:616 io_register_cqwait_reg()
>>> warn: was expecting a 64 bit value instead of '~(~(((1) << 12) - 1))'
>>>
>>> io_uring/register.c
>>> 594 static int io_register_cqwait_reg(struct io_ring_ctx *ctx, void __user *uarg)
>>> 595 {
>>> 596 struct io_uring_cqwait_reg_arg arg;
>>> 597 struct io_uring_reg_wait *reg;
>>> 598 struct page **pages;
>>> 599 unsigned long len;
>>> 600 int nr_pages, poff;
>>> 601 int ret;
>>> 602
>>> 603 if (ctx->cq_wait_page || ctx->cq_wait_arg)
>>> 604 return -EBUSY;
>>> 605 if (copy_from_user(&arg, uarg, sizeof(arg)))
>>> 606 return -EFAULT;
>>> 607 if (!arg.nr_entries || arg.flags)
>>> 608 return -EINVAL;
>>> 609 if (arg.struct_size != sizeof(*reg))
>>> 610 return -EINVAL;
>>> 611 if (check_mul_overflow(arg.struct_size, arg.nr_entries, &len))
>>> 612 return -EOVERFLOW;
>>> 613 if (len > PAGE_SIZE)
>>> 614 return -EINVAL;
>>> 615 /* offset + len must fit within a page, and must be reg_wait aligned */
>>> --> 616 poff = arg.user_addr & ~PAGE_MASK;
>>>
>>> This is a harmless thing, but on 32 bit systems you can put whatever you want in
>>> the high 32 bits of arg.user_addr and it won't affect anything.
>>
>> That is certainly true, it'll get masked away. I suspect this kind of
>> thing is everywhere, though? What do you suggest?
>
> The way that I normally see these warnings is with code like "if
> (u64flags & ~mask)" where only the first 3 bits of u64flags are used.
> It's not normally a real life bug. Normally fix them the warning, but
> I have 174 old warnings from before I started complaining about them.
>
> Maybe:
>
> if (U32_MAX >= SIZE_MAX && arg.user_addr > SIZE_MAX)
> return -EINVAL;
>
> This code works fine as-is, but eventually I want this code to trigger
> a couple more static checker warnings. It's so suspicious because
> we're truncating user data then re-using the same untruncated variable
> again.
Agree, that's the part I don't like. It's fine masking off for offset,
but the later passing in directly is wonky. It'll get truncated to
unsigned long at that point though, so won't _actually_ be passed in.
Hence I'm a bit dubious that this really needs fixing. Yeah the app can
put garbage in the upper 32-bits, but it's never going to be seen.
Should we catch and -EINVAL on that? Potentially, at least it can't hurt
to do so.
--
Jens Axboe
