Re: [PATCH] fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 14, 2024 at 12:59 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> The "arg->vec_len" variable is a u64 that comes from the user at the
> start of the function.  The "arg->vec_len * sizeof(struct page_region))"
> multiplication can lead to integer wrapping.  Use size_mul() to avoid
> that.
>
> Also the size_add/mul() functions work on unsigned long so for 32bit
> systems we need to ensure that "arg->vec_len" fits in an unsigned long.
>
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Acked-by: Andrei Vagin <avagin@xxxxxxxxxx>

> ---
>  fs/proc/task_mmu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index f57ea9b308bb..38a5a3e9cba2 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -2665,8 +2665,10 @@ static int pagemap_scan_get_args(struct pm_scan_arg *arg,
>                 return -EFAULT;
>         if (!arg->vec && arg->vec_len)
>                 return -EINVAL;
> +       if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX)

nit: arg->vec_len > SIZE_MAX / sizeof(struct page_region)

Thanks,
Andrei





[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux