From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 27E4FE77188
	for <linux-mm@archiver.kernel.org>; Fri, 10 Jan 2025 11:52:01 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A696C6B0083; Fri, 10 Jan 2025 06:52:00 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A267A6B00C2; Fri, 10 Jan 2025 06:52:00 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8E14F6B00C3; Fri, 10 Jan 2025 06:52:00 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 710A56B0083
	for <linux-mm@kvack.org>; Fri, 10 Jan 2025 06:52:00 -0500 (EST)
Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id D6B3A8095E
	for <linux-mm@kvack.org>; Fri, 10 Jan 2025 11:51:59 +0000 (UTC)
X-FDA: 82991378358.20.BED4D64
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52])
	by imf20.hostedemail.com (Postfix) with ESMTP id E20BA1C0012
	for <linux-mm@kvack.org>; Fri, 10 Jan 2025 11:51:57 +0000 (UTC)
Authentication-Results: imf20.hostedemail.com;
	dkim=pass header.d=linaro.org header.s=google header.b=spNqzlGP;
	dmarc=pass (policy=none) header.from=linaro.org;
	spf=pass (imf20.hostedemail.com: domain of dan.carpenter@linaro.org designates 209.85.221.52 as permitted sender) smtp.mailfrom=dan.carpenter@linaro.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1736509918;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=5CDjoH/Bj4sC3csaucGOxK7bWFGpVLWDds1mIa0onws=;
	b=CiNwZVyTFYY4yE+I0yzDzm/hkRjPRXl2Smay7VBZzpMhYLgW78Aus9KC2qtYe8C2sPvhuc
	wjI8yVErLc54M/KlNUZr7xMJCtf4xvESa84zjyDGmknpDbez9yedsuatCzaQ8QgA3801G/
	9A8aoscqna0PfM8VNZ+uNYINjT3BXfI=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736509918; a=rsa-sha256;
	cv=none;
	b=qA4Y1RRMhL7730sfbkG8KYgf5ngZpyd1psA5A6WG1DszQE0naYOZURZVWcC6uS9kmyr1Nz
	okGIxIDfbjYcXUgbysAM24mXSINmXKrzk3auhKtrHhpW9PYLTSPwwnxgCUKX9mMJ6NGnaD
	WRgNs1SP85L55VXBjEAprr9NaDTZ9Bk=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=pass header.d=linaro.org header.s=google header.b=spNqzlGP;
	dmarc=pass (policy=none) header.from=linaro.org;
	spf=pass (imf20.hostedemail.com: domain of dan.carpenter@linaro.org designates 209.85.221.52 as permitted sender) smtp.mailfrom=dan.carpenter@linaro.org
Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-3862d6d5765so1150480f8f.3
        for <linux-mm@kvack.org>; Fri, 10 Jan 2025 03:51:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1736509916; x=1737114716; darn=kvack.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=5CDjoH/Bj4sC3csaucGOxK7bWFGpVLWDds1mIa0onws=;
        b=spNqzlGPPKFlkJ1dxacN6FXaP5+2sztxPEvpe6uBv6aIma7MJ49BCt6m2jhVcEmXpN
         LZo8zNtOggHh+NrbHvMrEG+2l4vmYlqTRmcmCfQTYgrRsHnr9Jp2LMt2/4RDKFivWB1v
         aXCx8tQR/3wgjoJmjEpUhw5tpdEedxVKD3INZGLWG9J1vu/JBudkXWt1C6Czix50HCiH
         xA9DMntrCiIHESw5isbL8IaAMuFDpcftFgwzAZ2Bv9claMTmXr7UAuDqvf31/OADhwPj
         NHV2ODgnYhKepyZwzmV+Ps6/fSoN7Ly0bkJKdb16QcY+GQ4ju1KCDOw182k3rl+DAA5w
         653w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736509916; x=1737114716;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=5CDjoH/Bj4sC3csaucGOxK7bWFGpVLWDds1mIa0onws=;
        b=pC0igpc1NT0DctF8Tzw8PPO8bp9Pt/1iuqF7Vt6+lNe9X3oq01e4zlhk5h+cUoB2R2
         SFOKdnEAzIgNEHnAHixRxsMkAwQKhiWcyIL4bel2uCO7ISTAK6uDrjQEazNgoy5tO0oL
         l8HSF4xgtRpjvbMwZMtGyxfAYnH/A7DWcNmDiSh4YG8oimnLG64RibI2JYSNBvjO/PNP
         o1Oaiyb599L1TT1+i7r37SMAPqs8QuefzSO0m/0xQf7EFlAYxjQgB0S87OnkUE8p4mDD
         d9/Ekkz4p5gCsbDQe/pctuGZq/kBg4+CEcVSKY43h7/RbHk6a/F3zxJYwUfQxwO2zyD0
         lPrg==
X-Forwarded-Encrypted: i=1; AJvYcCUwkhXI4AhPGf6w/CgjkxjYDlEqfi78i4PbW/yyAN9naUFdrsJZIPnC5/MjOEbK6Y4n3mzmaAUITw==@kvack.org
X-Gm-Message-State: AOJu0YzN1ssYsqTFFcUHZ/KZzP4zFxd56U073Xnrx0fyk2kGO0kWjFcr
	edpGcQGmuwkzmhvwqVUIlLm/WQgB7VomVwo003xZSfEJ0jMirBBRsWDry+NjTSc=
X-Gm-Gg: ASbGncsdJUIVaztjRlXaQr/QlL4I4lgyBi0Ji9+CHcCwVXr4btm5qNsbZSQ6cmZjBta
	1cCpE/abi0haJS4Sf5VoJVUB/RUi0lnxG3XcL4LdsxqzVcKYEuQILb28ANvWgXEmNphuAhMAG38
	wozbU0gbo7Kv78j5Uxk7G+l/0cyU+FXLlF27ZPYByhPi4z39nn3L5bcxL5Z5Fz0vN1gs+2ZF2Tg
	eQ3O9VCjEo9uTP3nQ3o0Oy0eqf2c6jd6idgJJBZE5aBN1O85DD1q6P3qu+7wA==
X-Google-Smtp-Source: AGHT+IHKediC199TcMSxu21acE0CN/02tK8RHMMIB+sspKStxvJN02qDARg/u2Qf3U6RMNr9mfLUwA==
X-Received: by 2002:adf:a44e:0:b0:38a:36a5:ff81 with SMTP id ffacd0b85a97d-38a8730e0admr7718927f8f.40.1736509916395;
        Fri, 10 Jan 2025 03:51:56 -0800 (PST)
Received: from localhost ([196.207.164.177])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38a8e38c990sm4384653f8f.56.2025.01.10.03.51.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 10 Jan 2025 03:51:55 -0800 (PST)
Date: Fri, 10 Jan 2025 14:51:52 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Nicolas Pitre <npitre@baylibre.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	Kees Cook <kees@kernel.org>, Eric Biederman <ebiederm@xmission.com>,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] binfmt_flat: Fix integer overflow bug on 32 bit systems
Message-ID: <f946074f-60ed-455f-bcc7-4364f15b9603@stanley.mountain>
References: <5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5be17f6c-5338-43be-91ef-650153b975cb@stanley.mountain>
X-Stat-Signature: g8awr137imwgio4jzptbdm3r3bfo57b5
X-Rspamd-Queue-Id: E20BA1C0012
X-Rspam-User: 
X-Rspamd-Server: rspam01
X-HE-Tag: 1736509917-212007
X-HE-Meta: U2FsdGVkX19eIHNNfLb74SloRGf6ff2StaCEnQOyefIelSCoZOlGWuE74+MPOb5A7/te5Sy1akSpILN1VqPL8LAxMkh4+wCGCs/KIhN8bwjURte38+P9QTHytsZ/ARPWBWQbTdivaxktFwo60IFjMvDO83wnFwpo7iVVKE2WkJw9HHfwzYzUH0ieen7Ugf1eFqf8awar1ruAH8TrlIN4lqIwxwO4DQWQ81xkAdZ0QAl4PXG7byZSRjH6/daqXCwXVmJWIBVasvG8cHYOhGfz5yBZ0NXEtaajeqqBNANQAop/uVMuWNeXre9uicNtHq5bqSVfhMRnPrtZQ6yPrqlJpBnxuYWWun0nfC3wEPJHce5P2zhScTQwKCRnmSerRmwGEO/wrIFTAo3XIwUDU8beUFPqRFLKqfXibUQyRf55kJvrvj8J8IxKBN97o3rxZOGyomB/4cnacB3cdn5J4qfwHUpIAz0uCsWGsQLWbCAvTNf0MDYayBlmuu7XT1Ea2yWWi5uu2Cd5ccfWiC+BwAymK8okGKJcqn7TS18dhwvbOpexhAMSDPmLr2ldOSSt0iQDuUEsdXKPjNuIZeHBpJu2EgNuHcFQQzmDzY4R6f/sqRu+7wu3ghnNsz3eFYZ4hZ/N4/T2bTZrbhDkIpqqGeJm5wwXYC8isE/yKKzx2CMa+HQM2WftgtOImM5njYwBwDbrvzZtGfB2wi9E35O2EUcCjfW6/V5Iay/5lYCZYIMJSFD7OULVkMloXJntQ1wN0NTYJbpIVzXtXR2F1diI0+yV6KOIOfQ31bBMsyZie54yAJBI6HqiYPcuATeqIIAayBq6phSTAXoOj3GyPcCCH/2JcdvPfIlubla12x7G1rOAMW7HC1w6xUO/jQfgyC8jJjuSFiSz1xOdzKz9seGM9rK09cEQakMnxBAvpWHS9gX1qxBQxUHtdv92hRH0WBu/cgndzvzbKSYs/WpahUS0k0m
 Gfn3ainV
 Y3LWpKFVmsiFg8WiWGt99TFR3OaGEjv+pYP9rHBpGAIiqNZYa57X4C7uFbIWWH0gzjQnoDGffDD36wmDg9Axwl10E/bwNuIWxEHW7ES2tjqRUW4T6Rra3hl70xYDs5o0X+USP6V3HbyMO7C8xGO0ZI8fG5EMestyz3poAMCo9q70EkXfpxL9f8jHyPk5KLb9tdkPGZmO9aNYHPQrjuBFTUHuRVFkRSp1mKFZOOPQyRJCZ4NybR2PAv8P+iQ2GKtC0JzncPp/DLm1fIX23Irq2cfKR2PMo9/ghm41GmIYdUPatw3sa7GEI8d7hiwQR1LN22z2lIjWWgMNmMp8CwIlVSqDZalk/HtSLZ2dqM78pam0zdek1Du1UK9sUcv9I7qKWogA3j1NjaAfm4DTBC/WmHq3aPw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Ping.

regards,
dan carpenter

On Wed, Dec 04, 2024 at 03:07:15PM +0300, Dan Carpenter wrote:
> Most of these sizes and counts are capped at 256MB so the math doesn't
> result in an integer overflow.  The "relocs" count needs to be checked
> as well.  Otherwise on 32bit systems the calculation of "full_data"
> could be wrong.
> 
> 	full_data = data_len + relocs * sizeof(unsigned long);
> 
> Fixes: c995ee28d29d ("binfmt_flat: prevent kernel dammage from corrupted executable headers")
> Cc: stable@vger.kernel.org
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>  fs/binfmt_flat.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
> index 390808ce935d..b5b5ca1a44f7 100644
> --- a/fs/binfmt_flat.c
> +++ b/fs/binfmt_flat.c
> @@ -478,7 +478,7 @@ static int load_flat_file(struct linux_binprm *bprm,
>  	 * 28 bits (256 MB) is way more than reasonable in this case.
>  	 * If some top bits are set we have probable binary corruption.
>  	*/
> -	if ((text_len | data_len | bss_len | stack_len | full_data) >> 28) {
> +	if ((text_len | data_len | bss_len | stack_len | relocs | full_data) >> 28) {
>  		pr_err("bad header\n");
>  		ret = -ENOEXEC;
>  		goto err;
> -- 
> 2.45.2