From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F6A4C001E0 for ; Thu, 10 Aug 2023 16:49:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AF81A6B0071; Thu, 10 Aug 2023 12:49:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AA8396B0072; Thu, 10 Aug 2023 12:49:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 96E5D6B0075; Thu, 10 Aug 2023 12:49:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 863E16B0071 for ; Thu, 10 Aug 2023 12:49:35 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 4F5861CA10B for ; Thu, 10 Aug 2023 16:49:35 +0000 (UTC) X-FDA: 81108781110.18.754B548 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf15.hostedemail.com (Postfix) with ESMTP id 104B8A0014 for ; Thu, 10 Aug 2023 16:49:32 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=VCL8S9eJ; spf=pass (imf15.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1691686173; a=rsa-sha256; cv=none; b=g0yhv8d6O4vQufwilmXSSKZ2ROQH2pxko+hF5yzy+T2JbXFpEhDigNWbKxeM13mhL8UcAK kkyZWnOG0BNgrVXw1ZTbnecXJOsawHYfyq1XuLBBtMAWdqrLH8BasriwTtjFIO5fKYxxip t9JTilYH05iC9iqRSxG39tqF7ysL7SU= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=VCL8S9eJ; spf=pass (imf15.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1691686173; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=tge3O5xH64mxBw706PQBRXVPAQR3V2nMkvoZ63xOAkM=; b=KvANpZsz+KwGf48emvp2LqZtZItBKDcq+HTEitZfUK12qb1QsrRM5uVTt5B2wlk6mO9YGH 4RD75vcOa1lo85Swv5pp6Em7l8CRHMxg+vmScHjl0TzOmjvG56E6QA3HBQC4hmwtIoJyjs 8mV84DxuIzc+l4nIbqSpWNPnQJa5t/4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1691686172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tge3O5xH64mxBw706PQBRXVPAQR3V2nMkvoZ63xOAkM=; b=VCL8S9eJ0Eg+0phM0U70dyD2jh86/g6IMOHqZF4jKKA5nTxiXLXdnWZEd4fRYMqs4xpPoj b+aq+7auN9TkZmeBftEeWrm371254KLSZEH5nxp7qTHG/Z+ju8z+1YZn0UVxggGJZ+wTxp p31wgKXCLz6tB6iWLompNwszJdUUhm0= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-588-X2pKgnowNXmPyQ8A8UGO-w-1; Thu, 10 Aug 2023 12:49:30 -0400 X-MC-Unique: X2pKgnowNXmPyQ8A8UGO-w-1 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-3172a94b274so762101f8f.0 for ; Thu, 10 Aug 2023 09:49:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691686169; x=1692290969; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tge3O5xH64mxBw706PQBRXVPAQR3V2nMkvoZ63xOAkM=; b=aqMyOt7mZCdCuiU7z4Nq74gtRK9AkDVa0x/EftXiBMnHW4o98kneQeV9br36f/K2qo 13mBTqhYsEj3nxdIOic68ngg70jjEpaRU+GGvxKMV/LI5bVzsk2iETH+hVj10e/rJxYO SEGciD2qy54opvskqZgHIwgQXjAq8FG1gka+gskWR1jn2RJ8cV4AxIHvAtVlz3uZJ8zA NVPyCA/xX+YzO5xexGlqfBp3RxLtHgKCdsbeRM1aIpxhp0O4Bgq7JVNhHyBKowPw0LT0 UzdP+QC+q3Kh28g1AwrVEtNT2bojgBp0TO52EZJG93sKjcUgXu6kR4GWPGpUpkvYxznI WuXg== X-Gm-Message-State: AOJu0YwgSU/2DrlB2ZeZgeSjXRltQt/q+8cFV+DUOG8mq/eXdAT4rkVm jOGaA5pPfp9eNocXCS6ptXB3jM0jE2DdXgwTAUNOUtfR+jwxjeQ/QePA0sQoVYDyop3ljA7HyBs hZJ2iIQvDii4= X-Received: by 2002:adf:d08f:0:b0:314:15a8:7879 with SMTP id y15-20020adfd08f000000b0031415a87879mr2255476wrh.34.1691686169546; Thu, 10 Aug 2023 09:49:29 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHq1BI0Gqfj+OV17MjOWpCbOf7zfRKHjnaHO0MoYGdJDjgjD3C4QZsV1UEojpyIp/BuDW68EA== X-Received: by 2002:adf:d08f:0:b0:314:15a8:7879 with SMTP id y15-20020adfd08f000000b0031415a87879mr2255431wrh.34.1691686169133; Thu, 10 Aug 2023 09:49:29 -0700 (PDT) Received: from ?IPV6:2003:cb:c71a:8a00:8200:f041:4b87:a8be? (p200300cbc71a8a008200f0414b87a8be.dip0.t-ipconnect.de. [2003:cb:c71a:8a00:8200:f041:4b87:a8be]) by smtp.gmail.com with ESMTPSA id o17-20020adfe811000000b0031762e89f94sm2657508wrm.117.2023.08.10.09.49.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Aug 2023 09:49:28 -0700 (PDT) Message-ID: <6a7bff41-259b-89f3-1a46-5b5b73d3fea1@redhat.com> Date: Thu, 10 Aug 2023 18:49:26 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH mm-unstable fix] mm: userfaultfd: check for start + len overflow in validate_range: fix To: Ryan Roberts , Axel Rasmussen , Alexander Viro , Andrew Morton , Brian Geffon , Christian Brauner , Gaosheng Cui , Huang Ying , Hugh Dickins , James Houghton , Jiaqi Yan , Jonathan Corbet , Kefeng Wang , "Liam R. Howlett" , Miaohe Lin , Mike Kravetz , "Mike Rapoport (IBM)" , Muchun Song , Nadav Amit , Naoya Horiguchi , Peter Xu , Shuah Khan , Steven Barrett , Suleiman Souhlal , Suren Baghdasaryan , "T.J. Alumbaugh" , Yu Zhao , ZhangPeng Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, syzbot+42309678e0bc7b32f8e9@syzkaller.appspotmail.com References: <20230714182932.2608735-1-axelrasmussen@google.com> <8fbb5965-28f7-4e9a-ac04-1406ed8fc2d4@arm.com> From: David Hildenbrand Organization: Red Hat In-Reply-To: <8fbb5965-28f7-4e9a-ac04-1406ed8fc2d4@arm.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 104B8A0014 X-Stat-Signature: 7qtejso6pgoqh1z35pmh7ueyjg7hiwih X-Rspam-User: X-HE-Tag: 1691686172-970939 X-HE-Meta: U2FsdGVkX1+WTZOq/e9MLycgBp3IoGX7Hd9E1AQGeAuUXo4K3sKVQ0fGbUh9Y4TgdetYAffFvBcyeJDbFrbtHlDsTr9tPnFXeaSsEoG/S+xswkF6Z9xDjrDYxVXRADjrzhgUY41xSV4saCbURtqwWpndwzGwamfnxj/ZhGjh1Z299jQLSj1plqvq6ATqbxQB5oJMVBX1XIKC5OPim5h/2P4mSC7efLHF4Y/5uXuOQJk4YFKglJCFZzeJjecc+HK39QhYhvi333JqOxz5W+WztsZ/yrfB3/vz4oMJ0vHhT/xNLZ06sLxu9eXAar+8yxeuGxe3iAMVP5/7YtRIsBqdM/pgJhDAFqrH0a8hIWf+d+/MXkj34EUWi8ffThqyXXSlKAkZddRYCkw134IIEwyhUbeO4bZKmw6Od2BzDSMu5fLIqz+LZr/CNRd5N5fwl86/COwaec15Iz0yyjz3mPrAOqjK2eXzij73xKjORFJKU2Yrp2qePa3h58P+DKlHeXUQo9fSHGxEivJ2KUtmzyhm+NDFICVk3vPIaDzO05jmDy8m2AfZuN+yu9O0RBGvTBLo/mtK16WL6nRkeeo25h+Km5clDrapOcprEKaEq6VPmtpFmi+qzym/nxUWMb/88nlUCur4eXZ7Yvog+DfByt0dfD7CTiNnq/AqDuQJdzaRN6oraJsQGeuETQcy7JLlqf3qAcfE2AZD55AAm/+DY3yBAz1CIOAAMZlyO7MTFGhir8ftb0aegTMiBcCIskchC1HZOJPwRKcvgJCmbOS4OkG1WFGLtAnewsHBpGcGf24s+G179O9VgVEGLO6H1PR1Iv5aK0Kgf/LVwrSFaRytKpdIgNR0D2E9BFrlvH+U7wsSSjzKBrvyaxAt9j8kPT0WmZNIKCDuG7HV36m5Dg9EaWGULqFwwhERL/jo+7IAesEecSH8u+OhOPBdbi1jxwqwgCYk/qjQv/Y8r2fr7qreiqV mohqUi0u 0xsWdxGwtm/tuqN5kB88vu3lr7utPmCXHwxpgjJdxYVFmi0gRo/QXJ4XPfpGDGM87my8JDQodCLR0FU7U/fv9nj2FNkak9N9m12BmbCrrVtN8eMRudDkJg7SZ8cNqiKFlTPORBx9mJJxComeVZtr7aER54OwvsZwyAur1a665A4dJCKNahLFgrPtArG1HEVhGAjpj6oRHLbscHxAWKfTezjdlOrpZ0v9qKK3QzHhstWy7b3L9JKRGEmLHS7E2x4T7kg6TbSxiZE4vTntguvhCxz0+8GmwhB+Xq6mI5cOQvykJPKVi2jBuBrf1CWWCyWdvuReoByGoR6M05qBVIL+JQSlSpU81E//LXmEVthUX7EXhApPTgx9RjOGYW+s3LokTPA4D6i8hwfMUITwnlhf9cQbrKftlZr2bS2l/tItw2246DsCzQcQr+ubiTXjO2DEjZXIDQTcmM4yRZTXNcTc2yv28ubrhBnlXl+7COjR6hVqu4isTiUT46rdRd8skt/YUMB1FZ6tv54eZEZpxiW43bxOwG6W5Fj3i5TFWXlFqdfB0qYLuITGebTzY8FP29S608xh81l5yE/do3vTM8GUFCgkKbHqFDdfsF5gMC1827LbKYLEjcFLWZab9t/TAUa1sNa7YYMlxt6m8cHXDUZu3TdcEpfojgiir7TussEruP88bXn4= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 10.08.23 17:53, Ryan Roberts wrote: > On 14/07/2023 19:29, Axel Rasmussen wrote: >> This commit removed an extra check for zero-length ranges, and folded it >> into the common validate_range() helper used by all UFFD ioctls. >> >> It failed to notice though that UFFDIO_COPY *only* called validate_range >> on the dst range, not the src range. So removing this check actually let >> us proceed with zero-length source ranges, eventually hitting a BUG >> further down in the call stack. >> >> The correct fix seems clear: call validate_range() on the src range too. >> >> Other ioctls are not affected by this, as they only have one range, not >> two (src + dst). >> >> Reported-by: syzbot+42309678e0bc7b32f8e9@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=42309678e0bc7b32f8e9 >> Signed-off-by: Axel Rasmussen >> --- >> fs/userfaultfd.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c >> index 53a7220c4679..36d233759233 100644 >> --- a/fs/userfaultfd.c >> +++ b/fs/userfaultfd.c >> @@ -1759,6 +1759,9 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, >> sizeof(uffdio_copy)-sizeof(__s64))) >> goto out; >> >> + ret = validate_range(ctx->mm, uffdio_copy.src, uffdio_copy.len); >> + if (ret) >> + goto out; >> ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len); >> if (ret) >> goto out; > > > Hi Axel, > > I've just noticed that this patch, now in mm-unstable, regresses the mkdirty mm > selftest: > > # [INFO] detected THP size: 2048 KiB > TAP version 13 > 1..6 > # [INFO] PTRACE write access > ok 1 SIGSEGV generated, page not modified > # [INFO] PTRACE write access to THP > ok 2 SIGSEGV generated, page not modified > # [INFO] Page migration > ok 3 SIGSEGV generated, page not modified > # [INFO] Page migration of THP > ok 4 SIGSEGV generated, page not modified > # [INFO] PTE-mapping a THP > ok 5 SIGSEGV generated, page not modified > # [INFO] UFFDIO_COPY > not ok 6 UFFDIO_COPY failed > Bail out! 1 out of 6 tests failed > # Totals: pass:5 fail:1 xfail:0 xpass:0 skip:0 error:0 > > Whereas all 6 tests pass against v6.5-rc4. > > I'm afraid I don't know the test well and haven't looked at what the issue might > be, but noticed and thought I should point it out. That test (written by me ;) ) essentially does src = malloc(pagesize); dst = mmap(NULL, pagesize, PROT_READ, MAP_PRIVATE|MAP_ANON, -1, 0) ... uffdio_copy.dst = (unsigned long) dst; uffdio_copy.src = (unsigned long) src; uffdio_copy.len = pagesize; uffdio_copy.mode = 0; if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy)) { ... So src might not be aligned to a full page. According to the man page: "EINVAL Either dst or len was not a multiple of the system page size, or the range specified by src and len or dst and len was invalid." So, AFAIKT, there is no requirement for src to be page-aligned. Using validate_range() on the src is wrong. -- Cheers, David / dhildenb