From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84CE7EB64DA for ; Thu, 20 Jul 2023 13:55:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B196D28010D; Thu, 20 Jul 2023 09:55:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ACA2128004C; Thu, 20 Jul 2023 09:55:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9919E28010D; Thu, 20 Jul 2023 09:55:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 89D9628004C for ; Thu, 20 Jul 2023 09:55:07 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 580C5160154 for ; Thu, 20 Jul 2023 13:55:07 +0000 (UTC) X-FDA: 81032136654.21.62D52C1 Received: from out203-205-221-164.mail.qq.com (out203-205-221-164.mail.qq.com [203.205.221.164]) by imf26.hostedemail.com (Postfix) with ESMTP id 41C4714000D for ; Thu, 20 Jul 2023 13:55:03 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=foxmail.com header.s=s201512 header.b=Aq3Bw+BC; dmarc=pass (policy=none) header.from=foxmail.com; spf=pass (imf26.hostedemail.com: domain of lilinke99@foxmail.com designates 203.205.221.164 as permitted sender) smtp.mailfrom=lilinke99@foxmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689861305; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=pXW60cWQc6IVLFxjVvj7YpZW/1awm7nI8f7WBZ++PB0=; b=Nb5gpWros+HP/3uCvlXSXlQIl9JMolzGHqfMNlQzPxT0bQpxQx0OlbC1eS+h7AncyjxvqO SHuLipGe3AhbP0jRf+tmmXQNpSly895tu5J/LYwDG5KlgdAFkE2ZIqLZLnhnRlhFlVRRLN Hss1VIxLxuHnVNmnqxLNp2skua/xk04= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=foxmail.com header.s=s201512 header.b=Aq3Bw+BC; dmarc=pass (policy=none) header.from=foxmail.com; spf=pass (imf26.hostedemail.com: domain of lilinke99@foxmail.com designates 203.205.221.164 as permitted sender) smtp.mailfrom=lilinke99@foxmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689861305; a=rsa-sha256; cv=none; b=v9u2VOCRvKNxT0yYgfrnwVu9m3pv+3Yl22E5pTOuRBJ1EUPqPchOvD7eP9BPSoL3NQ1gmc Ey0Qdiw4+u5sc3SaFfznIOyF4Bf5xgDtW34a0sHbD+reBcp492AUmREfG+ixgDnVs4tps/ lYcOI4etO0HZkQ7WOlZddBYQb1hI3qs= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1689860984; bh=pXW60cWQc6IVLFxjVvj7YpZW/1awm7nI8f7WBZ++PB0=; h=From:To:Cc:Subject:Date; b=Aq3Bw+BCcxdgCDvvAa3fqwDzj69wgcMLdEwyk8gdel78LBywHPRiCFX6/qeEH0Hl6 RVSHwCg5jL/GRep42w7lvrvAZ6cDS+PXGTa2zdQSykD205K6MRBBwM9DKkzUj6i5nk 3Njk/FGPtEH1h6c2G2y1bHF25h07o7HVjbGJkF0E= Received: from linkpc.nju.edu.cn ([58.213.8.104]) by newxmesmtplogicsvrszc5-0.qq.com (NewEsmtp) with SMTP id C68A9691; Thu, 20 Jul 2023 21:49:40 +0800 X-QQ-mid: xmsmtpt1689860980tn9rzsk4s Message-ID: X-QQ-XMAILINFO: NQR8mRxMnur9MiK9Mh21RRx51oFb4x9WBhNn4UDTn639pc4tGVsSTqKNyRa4Xg Q1QUnzgAW8GPIrMPjjUnEe85hK160jUTPb9nABOIEBtJlWLgTXCc/uXRqv1+odsLuOiU26CKKIDL 8JPGv2g1U3n5cZGESqlvHOzHxNsvfeCQmglFwDeaNLCOpnHiAx1AUhagSwsx52l4+hqTxbMLXQP7 DSnENmPGvdKp+TCg0BpuxajnNrX79wcQlEDZctavG68QP+XZcZI8x7q4jHOImM26qsO5uLThgYS8 PkphtqL5jGTUm9b9ck5ONzAQk0KgWeR5dZIVU3WDrgUnjetA2gahOCYBatd0QSt0942X8bKvVb3Y Y2jr/SctdX8utM+y85pSWJVvlAYmigaEsk6wKZVJ32WwfSK9qporgqi6owFrbnwICKI6OW0yyxJz DWBKfafR0KcGC5KZNlwyom+0lzPt57gaj+BnAWUBIrOxxWkzazmkD4wJdZram93HpiHx51+ohkZS wpdFfD7QJBvLA4sKsGgVXa7Q2TofJFNPKlGTCfUkEBtO1NUtT/D8tT6DRJG/rOXqMP9vf8nFwYyG /a8pzBubKaFlHfLfEY7eD/6478UY1cjGSr5poT9g4ys3KsCMQs0OJaeIzD1JevoUacClx9BJOQnp 78XD6o4sf/ZRS9aB9Jdbe9UdVWbim+maRjo9KQScq7PtD1wT8Ub6J+HHIxWtoztUEtJSSRjQiYfS gBuyTCGL9AA3xZPdgJBzpiLTGEwviQY0xTe7IdAQoiJijdm5NWGlZl5gS57uIx1T1pNddlta2Tp2 +9u/S8oYkmxxMWNOS98vmfEg1l6IS7UDHyMxv+UsKiEXO7Fo87xrEVBXFA4nQyJnK+hYMaQBwcjT bfhzfJ9WJnqnBN0fEjgywojTlrLwfWl/Oe82aXLwhER0asFz7ysGilw0mJTIbxvEK7gEUBLjfz2u EW26SrvrCflB/+eOvJg2RNnhsA58aeSQcpIBpsra7o2c1jsOOuqSRdhGSpCPGw X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU= From: Linke Li To: linux-mm@kvack.org Cc: mike.kravetz@oracle.com, muchun.song@linux.dev, nathan@kernel.org, ndesaulniers@google.com, trix@redhat.com, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, dan.carpenter@linaro.org, Linke Li Subject: [PATCH v2] hugetlbfs: Fix integer overflow check in hugetlbfs_file_mmap() Date: Thu, 20 Jul 2023 21:49:39 +0800 X-OQ-MSGID: <20230720134939.121783-1-lilinke99@foxmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 41C4714000D X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: uizxs5xgda75f13ohyzspjfyta7u4s3m X-HE-Tag: 1689861303-486693 X-HE-Meta: U2FsdGVkX19v/2JzzSVEtD3pX8lkRbZKkAhnPaoyBcAIvNQDFOzJn5zSHUy4y+8VSkUuFUcMik/WDX4aD3RLZhHN0AinqCg3dVs4kP1BbMvE7JZHB9qZq5PKSUP5zYtPk9PH/OAMWTi41Urr7GVQTRkJ4r7CdxB1uSBSa0jjWHA3XLZXfzq200l0FO8zpsdaTbeAkJLYYCveORQaBN/G8BEysU9lS343TvFMevcSDkq/ZNsXG/syrC3jGHsIwgRW1hWP2O4tfB7FFE4zOH5qEd+A987xekuCMFEjaWTHrKDsQsqAoXQu8XKKfY7GY/7wAOWKcUmfNSMY84cUkMS48RmsRypQLNw5Xv0v1TGXMjAEMskjgZtyzJ2933pkidmCUdAP4ziaxGQgw/9vxnMEn79xusr6LtXZxGDNYSAIvrovIqrwUOHBC6EPNCRpFaPejcqQvGl8KdDwohcZYpakuRbotLFRpozrPPBzoK+BDeu4PnsoatoHMSwrDIxlOMDXtXQyZwA8Z7MhIPbz07AhuYbnl1BBS1x0egbqKmxFYUzc2hNGBrerya/zhAtCStb9zPAlslSQxluS+VToKZRoDjfa8qAmuhH7/nCTwbgs0Z8Kl9y0bBDosdLYanzL0/3ZTx0rbA0ltwXi5ETCnEAroJ99oIXoaVRDhCfGDR88dgIBbr/zE0YRYekoN1E72jKPVK8znQP6adtZXpa2WFzUDwt/pSK9DyDZnbUnq0Wo3nha1mOGywA/dc0yOX+aQNradGw24QeZy06XKFzIFG8z665UIdA7XL+vwQuvw+K3+CR43cu3bpTcVLirafj5NNBUsq9+bKP/kPdElIHxDfs0Z2R4o9kM0p6yYfBnKVN0KTVs9+XCgATom186peCbZwSS0HTVmKuucx7eqqxyLCNLZjf+KTFvqvbSuKbtdkiduAhs9L6dXTQziX6MX/vebZ7wDGPBE/QVDlLW8se48/f MFgLgrMb gLUod2wgZlkJ00yJDufioiilnLEBIKm1rSHC3qkuEzxUI5NOCTpVmzx+Nm07fBZxEj3TcXYGkAoejGdJdC0bMcJTrgoTliJjQRSkXOudXVGjHUXFNpidM+N6IqyhhnP0oDOf2aENr/zw3+phdhIcMvXYuN9PWkZu9kTwo3PEEdzEzzm5Ffx6QH7uVL+CCQ9FZIWCcJgy1ahiW9hUDMp14jHV8GWMrQufBmFCz X-Bogosity: Ham, tests=bogofilter, spamicity=0.000515, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Linke Li ``` vma_len = (loff_t)(vma->vm_end - vma->vm_start); len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); /* check for overflow */ if (len < vma_len) return -EINVAL; ``` There is a signed integer overflow in the code, which is undefined behavior according to the C stacnard. Although kernel disables some optimizations by using the "-fno-strict-overflow" option, there is still a risk. Using macro "check_add_overflow" to do the overflow check can effectively detect integer overflow and avoid any undefined behavior. Signed-off-by: Linke Li --- fs/hugetlbfs/inode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 7b17ccfa039d..60f3010b0f71 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -155,9 +155,7 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma) return -EINVAL; vma_len = (loff_t)(vma->vm_end - vma->vm_start); - len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); - /* check for overflow */ - if (len < vma_len) + if (check_add_overflow(vma_len, (loff_t)vma->vm_pgoff << PAGE_SHIFT, &len)) return -EINVAL; inode_lock(inode); -- 2.25.1