x86/sgx: Add overflow check in sgx_validate_offset_length()

[ Upstream commit f0861f49bd946ff94fce4f82509c45e167f63690 ]

sgx_validate_offset_length() function verifies "offset" and "length"
arguments provided by userspace, but was missing an overflow check on
their addition. Add it.

Fixes: c6d26d370767 ("x86/sgx: Add SGX_IOC_ENCLAVE_ADD_PAGES")
Signed-off-by: Borys Popławski <borysp@invisiblethingslab.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Cc: stable@vger.kernel.org # v5.11+
Link: https://lore.kernel.org/r/0d91ac79-6d84-abed-5821-4dbe59fa1a38@invisiblethingslab.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index a66795e..217777c 100644 (file)
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -386,6 +386,9 @@ static int sgx_validate_offset_length(struct sgx_encl *encl,
        if (!length || !IS_ALIGNED(length, PAGE_SIZE))
                return -EINVAL;
 
+       if (offset + length < offset)
+               return -EINVAL;
+
        if (offset + length - PAGE_SIZE >= encl->size)
                return -EINVAL;