tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args()

The "arg->vec_len" variable is a u64 that comes from the user at the start
of the function. The "arg->vec_len * sizeof(struct page_region))"
multiplication can lead to integer wrapping. Use size_mul() to avoid
that.

Also the size_add/mul() functions work on unsigned long so for 32bit
systems we need to ensure that "arg->vec_len" fits in an unsigned long.

Link: https://lkml.kernel.org/r/39d41335-dd4d-48ed-8a7f-402c57d8ea84@stanley.mountain
Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Andrei Vagin <avagin@google.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: David Hildenbrand <david@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by Dan Carpenter and committed by Andrew Morton 669b0cb8 fd7b4f9f

options
unified split
Changed files
+3 -1
fs
proc
task_mmu.c
+3 -1
fs/proc/task_mmu.c
··· 2665 2665 return -EFAULT; 2666 2666 if (!arg->vec && arg->vec_len) 2667 2667 return -EINVAL; 2668 + if (UINT_MAX == SIZE_MAX && arg->vec_len > SIZE_MAX) 2669 + return -EINVAL; 2668 2670 if (arg->vec && !access_ok((void __user *)(long)arg->vec, 2669 - arg->vec_len * sizeof(struct page_region))) 2671 + size_mul(arg->vec_len, sizeof(struct page_region)))) 2670 2672 return -EFAULT; 2671 2673 2672 2674 /* Fixup default values */