From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E52AE77188 for ; Fri, 10 Jan 2025 15:55:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EFD3B8D0003; Fri, 10 Jan 2025 10:55:31 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E86038D0001; Fri, 10 Jan 2025 10:55:31 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CFFB98D0003; Fri, 10 Jan 2025 10:55:31 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 9F04A8D0001 for ; Fri, 10 Jan 2025 10:55:31 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 800DCC0C22 for ; Fri, 10 Jan 2025 15:55:30 +0000 (UTC) X-FDA: 82991992020.16.98BA7E1 Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by imf15.hostedemail.com (Postfix) with ESMTP id 60624A0009 for ; Fri, 10 Jan 2025 15:55:28 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=baylibre-com.20230601.gappssmtp.com header.s=20230601 header.b=knqi5+k6; dmarc=none; spf=pass (imf15.hostedemail.com: domain of npitre@baylibre.com designates 209.85.219.50 as permitted sender) smtp.mailfrom=npitre@baylibre.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736524528; a=rsa-sha256; cv=none; b=zExm8GwQBdWIL5muYHShnkBI2LzD+I+w1Z8NGndOV9hUrCrQajqheG+y6LWFmMfjwPAhtq 0iFNek5rPSwr6FSSSX5gh44NXQ7nuPMrLUU+Ruvd475yIFO2NFRP88WcKVqJS6i760PuSb vKT3qO6l5rZpDZ47AHa+aLMIzkSz2tQ= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=baylibre-com.20230601.gappssmtp.com header.s=20230601 header.b=knqi5+k6; dmarc=none; spf=pass (imf15.hostedemail.com: domain of npitre@baylibre.com designates 209.85.219.50 as permitted sender) smtp.mailfrom=npitre@baylibre.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736524528; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Y+4DHniq6Jwfm/qrHjg7vshNTs6ZZXTUjwzCd53ai3s=; b=J6DCYlZYooPgcjCWNaQDbwcsPuJ7F7LVrTbn4xXkZNc5mvXRq2cQQKjGvAbB7njCJg4oHO Zrogp601TQLi8PlY2cFS55OppxjFXgTeu30RGGc0BRMiL5L17BaC+ugScmlvr8OwUiAwKS w0Q2brcf8GzVT83EViEJmxQhB9IQB7w= Received: by mail-qv1-f50.google.com with SMTP id 6a1803df08f44-6d8e8cb8605so12240496d6.0 for ; Fri, 10 Jan 2025 07:55:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20230601.gappssmtp.com; s=20230601; t=1736524527; x=1737129327; darn=kvack.org; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=Y+4DHniq6Jwfm/qrHjg7vshNTs6ZZXTUjwzCd53ai3s=; b=knqi5+k64Am0azEer3aTOcftnyzEb4W0XaGv0MK0HzkvLJLewoDsccwT/xnM801ZYY NS+9Lm1Mlbi8QSF6hOVWII7kUMdIFY3aU61zBjATzW3L/uR+x1qC6J0r45DWUIZ6F44R +SQx/dUm9gNbv0/PrLw4gwHmfCnmP6S5dNuupZL1rhv7+tg9faL4LcxsWWefVC/OCSif 4+spzo51BGy8XPLDftbiiV6WxDbQ2IMEBrDiaoWLNxY4gLfnXMm823NjLwAwemz4Xwzp wh4XpfjXP+tTP88jtw26Z5mwfjk5t+WkoOc/jKj2XLEp0SBwvU+iz1FmMayOzpp52MfN Pg/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736524527; x=1737129327; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Y+4DHniq6Jwfm/qrHjg7vshNTs6ZZXTUjwzCd53ai3s=; b=hf54/bqpZtSiTPdBCdCBdnHpJ21QmLb1vsM2Bw/TRq4F9s8ZOyMibE79/7qXxfgZin G6pMHkCDkptLt+Es20ISamIfFt3wBqC/M79Vba/8so9f3X2Me6kjrB2Z5NSTZu9fOqpC 9mx8em0f0o5/rRWOm7m7CdvVIHm+Bw9pxEsAexgbW52ikVm4MLSFcci6tL1KiXv9OtVI 1+zmVr9wi5V3APBxmGMlKmag4wadKPT5qFliBS3hu8UMSQOoVTbP8FpkHa5IDGZZhN+y ggug/zQj8bUHzivU7+Z+ADsqY/hKgS2afK8GGS/U3s6D8RJa/Yee8Dt+w9Cg4GkwXT4J 3gqQ== X-Forwarded-Encrypted: i=1; AJvYcCV1FZIhQyW6pSD9UpPKVf/rGYzPYmzMJTsHmpHyr03K81bzhHSaL4sC18xlYH528Nuxheut2NBbRA==@kvack.org X-Gm-Message-State: AOJu0YwehgpEz7HzRzpmu3LD+eLxkptdB9iG9s1+J7rPRuouXn3Pk/WW HFKyXoUs6XUO4f7DMruxOOWimrodLgEd0lQ/q0JfJyZmkg7XR9fKAGP2aLVYGqw= X-Gm-Gg: ASbGncsoNU0pBtGHOzdW9qBTk1vvcNsejcIM9tK1NkNkcBDZk+RRr1LRXxmccorVueX YH6G8Hq1+wPOy9ImK8wuv/qYBvWvwBMI25S7YWU206XQyZaAirNfRaZXCLgp/xMu6o8r6Ds9u1v 3YzPwtN8/5/zEGmRKF1h0zSntvF1yXyTh3ndX3iJzMwIdlbevbsjejo5yioTl3SOQkIYT3lhqF8 26TVDGgBnioB9gWwM+z8AO9PLwZ4FJHMCBBnPt/f1lyJrZdo2ehUivVBUnYBIHWorwCT0GUyelF trvxS/RuJo+syoR4REM= X-Google-Smtp-Source: AGHT+IEu9QWoE1yj8ljZXJZo7UtmDZAvNDTGtvJsoZEgk/j6xFlgrRvToReL+/TBCH5oXr0zA/7vWg== X-Received: by 2002:a05:6214:e6a:b0:6d4:3b7a:313a with SMTP id 6a1803df08f44-6df9b2d36c0mr158944466d6.32.1736524527444; Fri, 10 Jan 2025 07:55:27 -0800 (PST) Received: from xanadu (modemcable179.17-162-184.mc.videotron.ca. [184.162.17.179]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6dfade733e9sm10375056d6.82.2025.01.10.07.55.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Jan 2025 07:55:26 -0800 (PST) Date: Fri, 10 Jan 2025 10:55:25 -0500 (EST) From: Nicolas Pitre To: Dan Carpenter cc: Alexander Viro , Christian Brauner , Jan Kara , Kees Cook , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: Re: [PATCH] binfmt_flat: Fix integer overflow bug on 32 bit systems In-Reply-To: Message-ID: <4252467r-08n8-4oqr-3910-p5n1pq8so9s5@onlyvoer.pbz> References: <5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 60624A0009 X-Stat-Signature: 89mobbbgrdbug8nu96pxjideofcdxgot X-Rspam-User: X-HE-Tag: 1736524528-609698 X-HE-Meta: U2FsdGVkX18yxj8Q2ePIoS61vV22I0NPJCiX+oH0JwQ9CPXpjmKFi/6oPtDC4eDK3eDtj9E44ZjyeVFv0k3IpmeRrGdtA8ANrvzbDZdFbxIxQkbY6KQmznhlxsYrn94xYEGFgTVBLIXMUP4bpefw76d0IBwYKOWCeJliAmRs5DGPVjZ684BmcLzFvUyV/kI8px23PhixdEHmu9aRo7EPa1e6x8EFIIYqlpVrMnsD5g/a5iUFM2xKD49vbz+geAFhI0KCVUSYfIHIvKtfQHnDhSlBc4RLPFQ6H3kbtQ68BJZaCVhiC3pF1fKfwa+SEEi9bp26dFC7mdR5STjOx1BOQi7UobPfBKnBh7aOzZoICOxsKS641pPfhNN47h6JZFBQod4ce4ZtsQF1mXCeglcWvmZOUT5THlHnugb3nnCQTXlLt5edX/vSQRw24k0CmyEZXsmtWsc8Mgy8mj2SBUUJpiG82ubtzzuwBl28kH6Jayd/qAovqrHidfE3slE6+D2FjBgKifVe/fHM4kJ5FXef3w8PvuweNRgoNXxan+Shvs8j9aExnVgrwy3RUxPo5v+fqUNLd7Y6ygZnAutK/GK8GX8vnBQYI8dxECbXSrl7wTO4XYtaNVdb3KzBKzqbuqiK6pMDsM7TVE5rBlRnthOKPHwgp1mKfP5hhu1hx6t5ERB2Ig2gD+Z6Ci9w62KufyHJ7mlTBFGgdau+EhJOvlSmbm2sAHoYhzP039kfR80FutcEvM6YQ5qMTqebX8f3EUjHJlRprWno9rZws9L/5VTsdDGVD47W8tXY2LdWKOn0+3zH6S1ROrxoCAbo0YnsnwQQNYQ6x+XGV+OaQE6RCiRIysUGnbfZyL/cBS2QxG8yuhCGJxl7bxvzlbirALymZjDWi/MXo0Qi1naJXquoYi5igexDE8PcgLwwhvh7MgvqhrUB0Psa4HCHdHSu1qRIiQrHptpQXhGhf9CRhp5Mofc 8mc0yWCD s0kLj2ZNdNOKqwSFWq2Ug+l3eRlbCoYIyaciMUIv06LqYNMnz9v2I287yyCxuSgunjFWtcYKRiQ889E9tCWwQIWYMlYHpZAABYKEhgDi3BWEuq0gBrCBOWiJMVT7o8B904dmozKdYSGsafnT5Fz45IupyA5NBQ2a8VFnizjhXMnQzKovCjv/cUpzLc7it5k3rRnIyn/sIkbSey49aGTgjAyf2Guzk1G36tHsoQDeyLbsNC7Ou6yLu51tagH8UZiK5k4LGA5qgwKLqvOwi2v8NPe3DjKYMVLMfHzWK5sI6JQRRPGv+ONpNSE9T+Yn4hwBGFmHDFONxoM3qhxGnsWIq/8fj1Opwej2BUzRTe0NxWhb83vznrhC6OSEWeaDgscytwQDXoZEAxjJ9wV3e8PFxkNlRCXDD7Imu8mDtcByoVIgpzB85rxXI5obIawB813Js+wRXXqxSnpKrYI5+X4ErOA9HLahd/qd7Nmlq8A9CQLxS8Ljalz80qPmDfqHfHPskDyBJ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, 10 Jan 2025, Dan Carpenter wrote: > Ping. > > regards, > dan carpenter > > On Wed, Dec 04, 2024 at 03:07:15PM +0300, Dan Carpenter wrote: > > Most of these sizes and counts are capped at 256MB so the math doesn't > > result in an integer overflow. The "relocs" count needs to be checked > > as well. Otherwise on 32bit systems the calculation of "full_data" > > could be wrong. > > > > full_data = data_len + relocs * sizeof(unsigned long); > > > > Fixes: c995ee28d29d ("binfmt_flat: prevent kernel dammage from corrupted executable headers") > > Cc: stable@vger.kernel.org > > Signed-off-by: Dan Carpenter Acked-by: Nicolas Pitre > > --- > > fs/binfmt_flat.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c > > index 390808ce935d..b5b5ca1a44f7 100644 > > --- a/fs/binfmt_flat.c > > +++ b/fs/binfmt_flat.c > > @@ -478,7 +478,7 @@ static int load_flat_file(struct linux_binprm *bprm, > > * 28 bits (256 MB) is way more than reasonable in this case. > > * If some top bits are set we have probable binary corruption. > > */ > > - if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) { > > + if ((text_len | data_len | bss_len | stack_len | relocs | full_data) >> 28) { > > pr_err("bad header\n"); > > ret = -ENOEXEC; > > goto err; > > -- > > 2.45.2 >