Re: [PATCH] hugetlbfs: fix offset overflow in huegtlbfs mmap

From: Naoya Horiguchi
Date: Sun Apr 16 2017 - 19:54:38 EST

Next message: Darrick J. Wong: "4.11-rc7 crash when booting with 1 numa node?"
Previous message: Guenter Roeck: "Re: [PATCH 3.18 000/145] 3.18.49-stable review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 15, 2017 at 03:58:59PM -0700, Mike Kravetz wrote:
> On 04/13/2017 08:32 PM, Naoya Horiguchi wrote:
> > On Tue, Apr 11, 2017 at 03:51:58PM -0700, Mike Kravetz wrote:
> > ...
> >> diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
> >> index 7163fe0..dde8613 100644
> >> --- a/fs/hugetlbfs/inode.c
> >> +++ b/fs/hugetlbfs/inode.c
> >> @@ -136,17 +136,26 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
> >> vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
> >> vma->vm_ops = &hugetlb_vm_ops;
> >>
> >> + /*
> >> + * Offset passed to mmap (before page shift) could have been
> >> + * negative when represented as a (l)off_t.
> >> + */
> >> + if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
> >> + return -EINVAL;
> >> +
> >> if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
> >> return -EINVAL;
> >>
> >> vma_len = (loff_t)(vma->vm_end - vma->vm_start);
> >> + len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
> >> + /* check for overflow */
> >> + if (len < vma_len)
> >> + return -EINVAL;
> >
> > Andrew sent this patch to Linus today, so I know it's a little too late, but
> > I think that getting len directly from vma like below might be a simpler fix.
> >
> > len = (loff_t)(vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT));
> >
> > This shouldn't overflow because vma->vm_{end|start|pgoff} are unsigned long,
> > but if worried you can add VM_BUG_ON_VMA(len < 0, vma).
>
> Thanks Naoya,
>
> I am pretty sure the checks are necessary. You are correct in that
> vma->vm_{end|start|pgoff} are unsigned long. However, pgoff can be
> a REALLY big value that becomes negative when shifted.
>
> Note that pgoff is simply the off_t offset value passed from the user cast
> to unsigned long and shifted right by PAGE_SHIFT. There is nothing to
> prevent a user from passing a 'signed' negative value. In the reproducer
> provided, the value passed from user space is 0x8000000000000000ULL.

OK, thank you for explanation. You're right.

- Naoya

Next message: Darrick J. Wong: "4.11-rc7 crash when booting with 1 numa node?"
Previous message: Guenter Roeck: "Re: [PATCH 3.18 000/145] 3.18.49-stable review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]