On Fri, Nov 15, 2024 at 10:49:44AM -0800, Andrei Vagin wrote:
> On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> >
> > The "arg->vec_len" variable is a u64 that comes from the user at the
> > start of the function. The "arg->vec_len * sizeof(struct page_region))"
> > multiplication can lead to integer wrapping. Use size_mul() to avoid
> > that.
> >
> > Also the size_add/mul() functions work on unsigned long so for 32bit
> > systems we need to ensure that "arg->vec_len" fits in an unsigned long.
> >
> > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
>
> Acked-by: Andrei Vagin <avagin@xxxxxxxxxx>
>
> > ---
> > fs/proc/task_mmu.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> > index f57ea9b308bb..38a5a3e9cba2 100644
> > --- a/fs/proc/task_mmu.c
> > +++ b/fs/proc/task_mmu.c
> > @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
> > return -EFAULT;
> > if (!arg->vec && arg->vec_len)
> > return -EINVAL;
> > + if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)
>
> nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)
I don't like open coding integer overflow checks now that we have size_add().
Historically, we've done a poor job writing them correctly.
Probably the right thing is to add the > SIZE_MAX check to size_add/mul().
#define size_add(a, b) ({ \
typeof(a) __a = (a); \
typeof(b) __b = (b); \
unsigned long __res; \
if (__a >= SIZE_MAX || __b >= SIZE_MAX) \
__res = ULONG_MAX; \
else \
__res = __size_add(__a, __b); \
__res; \
})
But I think you'd trigger compiler warnings if a or b were a u32 so probably
we'd need to use a _Generic() or something.
regards,
dan carpenter
