On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> The "arg->vec_len" variable is a u64 that comes from the user at the
> start of the function. The "arg->vec_len * sizeof(struct page_region))"
> multiplication can lead to integer wrapping. Use size_mul() to avoid
> that.
>
> Also the size_add/mul() functions work on unsigned long so for 32bit
> systems we need to ensure that "arg->vec_len" fits in an unsigned long.
>
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Andrei Vagin <avagin@xxxxxxxxxx>
> ---
> fs/proc/task_mmu.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index f57ea9b308bb..38a5a3e9cba2 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
> return -EFAULT;
> if (!arg->vec && arg->vec_len)
> return -EINVAL;
> + if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)
nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)
Thanks,
Andrei
