Re: [PATCH] mm: avoid undefined behavior in hardened usercopy check

From: Kees Cook
Date: Fri Aug 19 2016 - 16:54:39 EST


On Fri, Aug 19, 2016 at 12:15 PM, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> check_bogus_address() checked for pointer overflow using this expression,
> where 'ptr' has type 'const void *':
>
> ptr + n < ptr
>
> Since pointer wraparound is undefined behavior, gcc at -O2 by default
> treats it like the following, which would not behave as intended:
>
> (long)n < 0
>
> Fortunately, this doesn't currently happen for kernel code because kernel
> code is compiled with -fno-strict-overflow. But the expression should be
> fixed anyway to use well-defined integer arithmetic, since it could be
> treated differently by different compilers in the future or could be
> reported by tools checking for undefined behavior.
>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>

Cool, thanks. I'll get this into my tree.

-Kees

> ---
> mm/usercopy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> index 8ebae91..82f81df 100644
> --- a/mm/usercopy.c
> +++ b/mm/usercopy.c
> @@ -124,7 +124,7 @@ static inline const char *check_kernel_text_object(const void *ptr,
> static inline const char *check_bogus_address(const void *ptr, unsigned long n)
> {
> /* Reject if object wraps past end of memory. */
> - if (ptr + n < ptr)
> + if ((unsigned long)ptr + n < (unsigned long)ptr)
> return "<wrapped address>";
>
> /* Reject if NULL or ZERO-allocation. */
> --
> 2.8.0.rc3.226.g39d4020
>



--
Kees Cook
Nexus Security