iov_iter: Avoid wrap-around instrumentation in copy_compat_iovec_from_user()
authorKees Cook <keescook@chromium.org>
Mon, 29 Jan 2024 18:37:29 +0000 (10:37 -0800)
committerChristian Brauner <brauner@kernel.org>
Fri, 2 Feb 2024 12:11:49 +0000 (13:11 +0100)
commitbd8c239c0502e70c92cf9496846bcbec7cd5702f
tree2df9a33d2f482e58d6df3b1d666ee2319d33261f
parentcc47a057e79613b7af0110837ff082caf8895c9e
iov_iter: Avoid wrap-around instrumentation in copy_compat_iovec_from_user()

The loop counter "i" in copy_compat_iovec_from_user() is an int, but
because the nr_segs argument is unsigned long, the signed overflow
sanitizer got worried "i" could wrap around. Instead of making "i" an
unsigned long (which may enlarge the type size), switch both nr_segs
and i to u32. There is no truncation with nr_segs since it is never
larger than UIO_MAXIOV anyway. This keeps sanitizer instrumentation[1]
out of a UACCESS path:

vmlinux.o: warning: objtool: copy_compat_iovec_from_user+0xa9: call to __ubsan_handle_add_overflow() with UACCESS enabled

Link: https://github.com/KSPP/linux/issues/26
Cc: Christian Brauner <brauner@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20240129183729.work.991-kees@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
lib/iov_iter.c