From patchwork Mon Jan 29 18:37:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 193669 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp763993dyb; Mon, 29 Jan 2024 10:48:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IFTrXzZ4d2nygb+AOhY/ZppoXANYlUwtl1kjOOC8f5OaoEI0Eg27kfLBFkUotsrrqW6SXnz X-Received: by 2002:a17:906:a14c:b0:a35:d2f8:4927 with SMTP id bu12-20020a170906a14c00b00a35d2f84927mr1797042ejb.70.1706554118524; Mon, 29 Jan 2024 10:48:38 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706554118; cv=pass; d=google.com; s=arc-20160816; b=ygeFiZaxL9im8ef+kTZvhUI52ZpSTBxttHqyzqDn1kLHK8dW6DGfcpuCIWvXZLounL /MUr/8tna51b4sv6rJkwMMz0roKiS3H6qTvGlwmQS57QTc0l9Aw49DBJ85vZEvmG/o57 5W84fOrxwRQUZ4Nn47uGDISRM/F8iu725525yEuUDD/0f04HZFc0m9xCD5/M6DDNYtLh xteV45xFUa5Hp1MHrWDePqB5eXtrkYH7xWFu782z4VbTKCSfY6i/ilzTRYd72Rvdxcbi pIftxryn9Bopf7bdofuwTzH1+jr3mUNREGMuXwp1O5EuewmI9e7SIqGkb0rVb3G64svV j7rA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=Fla7JsNhKo492vdE3w3Tg2/OHYB++/QCBkeo0Lo52hM=; fh=aSoL5gMr4xQe5mq5wbNRAujeXmIgve+BzDJbG/D7/+k=; b=kIeSvHP/NOEDP3W+knRCoBhtlwKhdRYeEa5RBwmwHbOJEG22/aw8GMMzjNeRXjcw3U TuRnkzsxKIM0/4a/PAPrg42KSSVWQzkymcwbWY7DD2hRpCRdoY+B2q7cADrZDzHnzCv3 xjpLt3wu2wCuQhYT4nxwQgi1imTAvo0Cf9esdtoAaf6e4wXTV/MTRfo1gd/zYTW9ugPR Vy8Sc3cO/1GOUb2Fq32Jq5MeZdeVY6bLkH0SN9SJnWYS6HNeHAGEBP2++GgNx33sdlWw yMI0fjJabL1wUx6Eg79iZxV81QEIEgD9jxkjVDJNWsA4vZ0jVosTu7VR1GFzE/y+48ue LrpQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jUcKDXDR; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43358-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43358-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id y8-20020a170906070800b00a2fe96b97cesi3670616ejb.727.2024.01.29.10.48.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:48:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43358-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=jUcKDXDR; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-43358-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43358-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 64C171F28153 for ; Mon, 29 Jan 2024 18:47:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CC9EC157E6A; Mon, 29 Jan 2024 18:37:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="jUcKDXDR" Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5FD3125CC for ; Mon, 29 Jan 2024 18:37:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553455; cv=none; b=Kbb1KFD6uQDD3Ut6gqlA/1Ot14AgQDE5YCNf8HwzTsccgxOnetSeRCCYKncZhoz1lY0tEmHPRmvgmBkT08+ULzDlzTEJwCB7ahLCVcMgROa5dLxRCrV+5aEYJgLojFJGuMPciypJHdYIWnqQaz7IOQI/hCUX2UwQ4/ouLOV2qQw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706553455; c=relaxed/simple; bh=90HpXRkuAYjZRHJFMyOU2HX/eq/5yDzcx8txY4NB+uA=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=ZhSuk43VmxRAF4PnIKqfzdiv3kklDE3KHVdGEg7NXN81xIw3p6idghs0WUFh/hr30BkurjtQ1sVkDzJTnoWRKA4hCH/xmtvDS7XZ1lQZSHkWE21pfgIOp4h/JMaIM7Ieh4D7N0GJMDuo3s88Fpl8Mx38Kv+XzkHVQK5XlsnLLQQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=jUcKDXDR; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1d74045c463so15772415ad.3 for ; Mon, 29 Jan 2024 10:37:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706553452; x=1707158252; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Fla7JsNhKo492vdE3w3Tg2/OHYB++/QCBkeo0Lo52hM=; b=jUcKDXDRvQWvDoFvr09kRTHfQcmQM+VkpXBXmJxptHzfNmgPY6VarzRp6JtZmWuQ7u rt1fNUyS1vms+6XdY+m9kcN93jWVU2zfq3mLkIRnoCAbjIFTim+tpxwOdFucrDJ5qzsd bqAIScw8lDy1MQrczuoc5lEeNOrmOog/fTgwM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706553452; x=1707158252; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Fla7JsNhKo492vdE3w3Tg2/OHYB++/QCBkeo0Lo52hM=; b=P7YJCnSr5PqnwjNF8oR+iybsb6AvfNhRe+axqB7hvHI1UydWWOi1oqqSRIyffov9Fd WB38Z5R7AGP6zkLsEAafjwLQzW2z08vsao40DkFiOxf6oxR3e9a3T/e3KFphAEFhuzNx XubujhnuTEuTeJJCE5HQ3Doi4FOEb6f06xoHI6MLohM13/2o0VW9u6tRhD5oUdGMqft2 PH0apBRxsRQU5scadg8pCYnKEJ2aZPnwO3DlFeHzzE2y4rO7lrQuzU0iefaLK/8McIL8 zyMH3V/iiIBtAHWbQpWVYk93A09fY3tzBKqrl9kC4jbcGQ4trOfAt505pq9vOH6jHYU1 ArEg== X-Gm-Message-State: AOJu0YweyH3Ny0tLkhNBPWDlZX1Gi3fg07hyXcuoyXOWzrcfwfyD1ZEQ 8We+wTEVxgApKpPWdrJ1tYTv6oNxOyDDyZ7dSYQwldbyJu0mqAeb5lYy/eRS7w== X-Received: by 2002:a17:902:8349:b0:1d7:4353:aba5 with SMTP id z9-20020a170902834900b001d74353aba5mr2989671pln.58.1706553452033; Mon, 29 Jan 2024 10:37:32 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id kf13-20020a17090305cd00b001d8fb2591b0sm634433plb.301.2024.01.29.10.37.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 10:37:31 -0800 (PST) From: Kees Cook To: Christian Brauner Cc: Kees Cook , Alexander Viro , Andrew Morton , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] iov_iter: Avoid wrap-around instrumentation in copy_compat_iovec_from_user() Date: Mon, 29 Jan 2024 10:37:29 -0800 Message-Id: <20240129183729.work.991-kees@kernel.org> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1535; i=keescook@chromium.org; h=from:subject:message-id; bh=90HpXRkuAYjZRHJFMyOU2HX/eq/5yDzcx8txY4NB+uA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlt/BpxNgSkSBKSux6ybMpFyLH/AlD9KaCDrzvt zEDkh9HEfiJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbfwaQAKCRCJcvTf3G3A JnjjD/sHeWCKm3lg/E+QFrgqXUNgcIvHzer7ewmsf+ihKlwoeIwPQ5RQmISAu0wDhSGkszJbr4S LR1R/yqBxSOCQqAdDKM7jN68oBOd9qFo4IMXeFaqJZJu8nR/tuWBrZNlG+VOHaKwyoKrHDeRQw9 BLswyT3fks3NI+ggmDNeBWT042vySVCGveZ1swPQQZTjgw04BOTfM0gRE2mPv8Bv/KCw5njgZi8 /f7NZ2XKc3CIrHLcfQXahsWyB0AORAjz3N6KIpi8xHlFdicAVy+rdEFG+TZts5a4BiLopEeFc13 orkQ1h2moHoetfbDh14khgoG0FfeCWIyNkXrATK6C99djej9ROR6oXDjz1NBu8DMVhI9M1htMHg txYpfwgrlqc3UZeDYtUsmlVg8OXlT4GAIhjTMKHBw2GzsUpgWAdTxzcLnwxLqQM4ag6EBWOt51n m+uJKNbNlchD4Uq61PnxncNkPT9BVjZ0HaAkUmi7+wzcWxRYIbHl/Qyick3ed/nA3nQzki6a5Iv gi7i6i0yuQAcBxj7mbbsFyVDZy34vRaLrA/FW9qxvdhOrlSaZIhexwDQSIXtr+1aygAfBEZlsZA fSpJohpZU1/66FVLY1fztGTlNFnCANiBVVm7H0ltwYYysXzsogYKl7jxsp5gYUiWpvQ3esmJ0FJ dR/pBKO pa+wo1RA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789451691316697777 X-GMAIL-MSGID: 1789451691316697777 The loop counter "i" in copy_compat_iovec_from_user() is an int, but because the nr_segs argument is unsigned long, the signed overflow sanitizer got worried "i" could wrap around. Instead of making "i" an unsigned long (which may enlarge the type size), switch both nr_segs and i to u32. There is no truncation with nr_segs since it is never larger than UIO_MAXIOV anyway. This keeps sanitizer instrumentation[1] out of a UACCESS path: vmlinux.o: warning: objtool: copy_compat_iovec_from_user+0xa9: call to __ubsan_handle_add_overflow() with UACCESS enabled Link: https://github.com/KSPP/linux/issues/26 [1] Cc: Christian Brauner Cc: Alexander Viro Signed-off-by: Kees Cook --- lib/iov_iter.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/iov_iter.c b/lib/iov_iter.c index e0aa6b440ca5..d797a43dca91 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -1166,11 +1166,12 @@ const void *dup_iter(struct iov_iter *new, struct iov_iter *old, gfp_t flags) EXPORT_SYMBOL(dup_iter); static __noclone int copy_compat_iovec_from_user(struct iovec *iov, - const struct iovec __user *uvec, unsigned long nr_segs) + const struct iovec __user *uvec, u32 nr_segs) { const struct compat_iovec __user *uiov = (const struct compat_iovec __user *)uvec; - int ret = -EFAULT, i; + int ret = -EFAULT; + u32 i; if (!user_access_begin(uiov, nr_segs * sizeof(*uiov))) return -EFAULT;