Commit 7329a655 authored Aug 19, 2016 by Eric Biggers Committed by Kees Cook Aug 22, 2016

usercopy: avoid potentially undefined behavior in pointer math



check_bogus_address() checked for pointer overflow using this expression,
where 'ptr' has type 'const void *':

	ptr + n < ptr

Since pointer wraparound is undefined behavior, gcc at -O2 by default
treats it like the following, which would not behave as intended:

	(long)n < 0

Fortunately, this doesn't currently happen for kernel code because kernel
code is compiled with -fno-strict-overflow.  But the expression should be
fixed anyway to use well-defined integer arithmetic, since it could be
treated differently by different compilers in the future or could be
reported by tools checking for undefined behavior.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>

parent ef0e1ea8

mm/usercopy.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -124,7 +124,7 @@ static inline const char check_kernel_text_object(const void ptr,
		static inline const char check_bogus_address(const void ptr, unsigned long n)
		{
		/* Reject if object wraps past end of memory. */
		if (ptr + n < ptr)
		if ((unsigned long)ptr + n < (unsigned long)ptr)
		return "<wrapped address>";

		/* Reject if NULL or ZERO-allocation. */