[PATCH AUTOSEL 5.10 24/27] uaccess: Add minimum bounds check on kernel buffer size

From: Sasha Levin
Date: Sun Feb 26 2023 - 09:58:17 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 5.15 14/36] ice: add missing checks for PF vsi type"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.2 14/53] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds"
In reply to: Sasha Levin: "[PATCH AUTOSEL 5.10 03/27] rcu: Make RCU_LOCKDEP_WARN() avoid early lockdep checks"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 5.10 20/27] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Kees Cook <keescook@xxxxxxxxxxxx>

[ Upstream commit 04ffde1319a715bd0550ded3580d4ea3bc003776 ]

While there is logic about the difference between ksize and usize,
copy_struct_from_user() didn't check the size of the destination buffer
(when it was known) against ksize. Add this check so there is an upper
bounds check on the possible memset() call, otherwise lower bounds
checks made by callers will trigger bounds warnings under -Warray-bounds.
Seen under GCC 13:

In function 'copy_struct_from_user',
inlined from 'iommufd_fops_ioctl' at
../drivers/iommu/iommufd/main.c:333:8:
../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' with type 'union ucmd_buffer' [-Warray-bounds=]
59 | #define __underlying_memset __builtin_memset
| ^
../include/linux/fortify-string.h:453:9: note: in expansion of macro '__underlying_memset'
453 | __underlying_memset(p, c, __fortify_size); \
| ^~~~~~~~~~~~~~~~~~~
../include/linux/fortify-string.h:461:25: note: in expansion of macro '__fortify_memset_chk'
461 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \
| ^~~~~~~~~~~~~~~~~~~~
../include/linux/uaccess.h:334:17: note: in expansion of macro 'memset'
334 | memset(dst + size, 0, rest);
| ^~~~~~
../drivers/iommu/iommufd/main.c: In function 'iommufd_fops_ioctl':
../drivers/iommu/iommufd/main.c:311:27: note: 'buf' declared here
311 | union ucmd_buffer buf;
| ^~~

Cc: Christian Brauner <brauner@xxxxxxxxxx>
Cc: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
Cc: Arnd Bergmann <arnd@xxxxxxxx>
Cc: Dinh Nguyen <dinguyen@xxxxxxxxxx>
Cc: Catalin Marinas <catalin.marinas@xxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
Cc: Alexander Potapenko <glider@xxxxxxxxxx>
Acked-by: Aleksa Sarai <cyphar@xxxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Link: https://lore.kernel.org/lkml/20230203193523.never.667-kees@xxxxxxxxxx/
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
include/linux/uaccess.h | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index c7c6e8b8344d4..20668760daa02 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -348,6 +348,10 @@ copy_struct_from_user(void *dst, size_t ksize, const void __user *src,
size_t size = min(ksize, usize);
size_t rest = max(ksize, usize) - size;

+ /* Double check if ksize is larger than a known object size. */
+ if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1)))
+ return -E2BIG;
+
/* Deal with trailing bytes. */
if (usize < ksize) {
memset(dst + size, 0, rest);
--
2.39.0

Next message: Sasha Levin: "[PATCH AUTOSEL 5.15 14/36] ice: add missing checks for PF vsi type"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.2 14/53] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds"
In reply to: Sasha Levin: "[PATCH AUTOSEL 5.10 03/27] rcu: Make RCU_LOCKDEP_WARN() avoid early lockdep checks"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 5.10 20/27] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]