[PATCH] fix count(), compat_count() bounds checking

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] fix count(), compat_count() bounds checking
@ 2008-09-19 15:50 Jason Baron
  2008-09-19 23:06 ` Peter Zijlstra
  0 siblings, 1 reply; 3+ messages in thread
From: Jason Baron @ 2008-09-19 15:50 UTC (permalink / raw)
  To: a.p.zijlstra; +Cc: linux-kernel

hi,

With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()'
and compat_count(), it would appear that the current max bounds check
of fs/exec.c:394:

	if(++i > max)
		return -E2BIG;

would never trigger. Since 'i' is of type int, so values would wrap and the
function would continue looping.

Simple fix seems to be chaning ++i to i++ and checking for '>='.

thanks,

-Jason


Signed-off-by: Jason Baron <jbaron@redhat.com>

---

 fs/compat.c |    2 +-
 fs/exec.c   |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


diff --git a/fs/compat.c b/fs/compat.c
index 3d4d57a..2c68dd7 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -1233,7 +1233,7 @@ static int compat_count(compat_uptr_t __user *argv, int max)
 			if (!p)
 				break;
 			argv++;
-			if(++i > max)
+			if (i++ >= max)
 				return -E2BIG;
 		}
 	}
diff --git a/fs/exec.c b/fs/exec.c
index 9bf0476..7766839 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -389,7 +389,7 @@ static int count(char __user * __user * argv, int max)
 			if (!p)
 				break;
 			argv++;
-			if(++i > max)
+			if (i++ >= max)
 				return -E2BIG;
 			cond_resched();
 		}

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] fix count(), compat_count() bounds checking
  2008-09-19 15:50 [PATCH] fix count(), compat_count() bounds checking Jason Baron
@ 2008-09-19 23:06 ` Peter Zijlstra
  2008-09-19 23:10   ` Ollie Wild
  0 siblings, 1 reply; 3+ messages in thread
From: Peter Zijlstra @ 2008-09-19 23:06 UTC (permalink / raw)
  To: Jason Baron; +Cc: linux-kernel, aaw, Linus Torvalds

On Fri, 2008-09-19 at 11:50 -0400, Jason Baron wrote:
> hi,
> 
> With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()'
> and compat_count(), it would appear that the current max bounds check
> of fs/exec.c:394:
> 
> 	if(++i > max)
> 		return -E2BIG;
> 
> would never trigger. Since 'i' is of type int, so values would wrap and the
> function would continue looping.
> 
> Simple fix seems to be chaning ++i to i++ and checking for '>='.
> 
> thanks,
> 
> -Jason

Right - looks sane enough, although in practise I'm not sure we'll ever
care since I suspect we'll hit the target stack limit before this.

Ollie?

> Signed-off-by: Jason Baron <jbaron@redhat.com>

Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>

> 
> ---
> 
>  fs/compat.c |    2 +-
>  fs/exec.c   |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> 
> diff --git a/fs/compat.c b/fs/compat.c
> index 3d4d57a..2c68dd7 100644
> --- a/fs/compat.c
> +++ b/fs/compat.c
> @@ -1233,7 +1233,7 @@ static int compat_count(compat_uptr_t __user *argv, int max)
>  			if (!p)
>  				break;
>  			argv++;
> -			if(++i > max)
> +			if (i++ >= max)
>  				return -E2BIG;
>  		}
>  	}
> diff --git a/fs/exec.c b/fs/exec.c
> index 9bf0476..7766839 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -389,7 +389,7 @@ static int count(char __user * __user * argv, int max)
>  			if (!p)
>  				break;
>  			argv++;
> -			if(++i > max)
> +			if (i++ >= max)
>  				return -E2BIG;
>  			cond_resched();
>  		}


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] fix count(), compat_count() bounds checking
  2008-09-19 23:06 ` Peter Zijlstra
@ 2008-09-19 23:10   ` Ollie Wild
  0 siblings, 0 replies; 3+ messages in thread
From: Ollie Wild @ 2008-09-19 23:10 UTC (permalink / raw)
  To: Peter Zijlstra; +Cc: Jason Baron, linux-kernel, Linus Torvalds

On Fri, Sep 19, 2008 at 4:06 PM, Peter Zijlstra <a.p.zijlstra@chello.nl> wrote:
>
> On Fri, 2008-09-19 at 11:50 -0400, Jason Baron wrote:
> >
> > Simple fix seems to be chaning ++i to i++ and checking for '>='.
>
> Right - looks sane enough, although in practise I'm not sure we'll ever
> care since I suspect we'll hit the target stack limit before this.
>
> Ollie?

Sounds reasonable to me.  I'd also be ok with changing MAX_ARG_STRINGS
to 0x7FFFFFFE to help prevent people from making this mistake in the
future.

Ollie

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2008-09-19 23:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-19 15:50 [PATCH] fix count(), compat_count() bounds checking Jason Baron
2008-09-19 23:06 ` Peter Zijlstra
2008-09-19 23:10   ` Ollie Wild

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.