From: Joel Becker <Joel.Becker@oracle.com>
To: ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH] ocfs2: Fix memory overflow in cow_by_page.
Date: Mon, 25 Jan 2010 19:19:56 -0800 [thread overview]
Message-ID: <20100126031956.GC15982@mail.oracle.com> (raw)
In-Reply-To: <1264057166-21316-1-git-send-email-tao.ma@oracle.com>
On Thu, Jan 21, 2010 at 02:59:26PM +0800, Tao Ma wrote:
> In ocfs2_duplicate_clusters_by_page, we calculate map_end
> by shifting page_index. But actually in case we meet with
> a large offset(say in a i686 box, poff_t is only 32 bits
> and page_index=2056240), we will overflow. So change it
> by adding PAGE_CACHE_SIZE to offset.
>
> Signed-off-by: Tao Ma <tao.ma@oracle.com>
> ---
> fs/ocfs2/refcounttree.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
> index 74db2be..6db863d 100644
> --- a/fs/ocfs2/refcounttree.c
> +++ b/fs/ocfs2/refcounttree.c
> @@ -2945,7 +2945,7 @@ static int ocfs2_duplicate_clusters_by_page(handle_t *handle,
>
> while (offset < end) {
> page_index = offset >> PAGE_CACHE_SHIFT;
> - map_end = (page_index + 1) << PAGE_CACHE_SHIFT;
> + map_end = offset + PAGE_CACHE_SIZE;
First, we can't be computing by offset, because map_end is
supposed to be page bounded, right? Also, what if we have an offset
that is the last page possible? Won't that wrap as well, setting
map_end to 0?
Why aren't we computing map_end like we compute end, as a loff_t
value?
page_index = offset >> PAGE_CACHE_SHIFT;
- map_end = (page_index + 1) << PAGE_CACHE_SHIFT;
+ map_end = ((loff_t)page_index + 1) << PAGE_CACHE_SHIFT;
if (map_end > end)
map_end = end;
The map_end>end check will catch anything too big.
Joel
--
"You don't make the poor richer by making the rich poorer."
- Sir Winston Churchill
Joel Becker
Principal Software Developer
Oracle
E-mail: joel.becker at oracle.com
Phone: (650) 506-8127
next prev parent reply other threads:[~2010-01-26 3:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-21 6:59 [Ocfs2-devel] [PATCH] ocfs2: Fix memory overflow in cow_by_page Tao Ma
2010-01-22 2:54 ` Sunil Mushran
2010-01-26 3:19 ` Joel Becker [this message]
2010-01-26 3:30 ` Tao Ma
2010-01-26 4:24 ` Tao Ma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100126031956.GC15982@mail.oracle.com \
--to=joel.becker@oracle.com \
--cc=ocfs2-devel@oss.oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.