Re: [patch 2/2 v2] staging: lustre: integer overflow in obd_ioctl_is_invalid()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: walter harms <wharms@bfs.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Peng Tao <bergwolf@gmail.com>,
	Andreas Dilger <andreas.dilger@intel.com>,
	Oleg Drokin <oleg.drokin@intel.com>,
	"John L. Hammond" <john.hammond@intel.com>,
	Dmitry Eremin <dmitry.eremin@intel.com>,
	Jinshan Xiong <jinshan.xiong@intel.com>,
	Dulshani Gunawardhana <dulshani.gunawardhana89@gmail.com>,
	devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/2 v2] staging: lustre: integer overflow in obd_ioctl_is_invalid()
Date: Mon, 28 Apr 2014 11:41:26 +0000	[thread overview]
Message-ID: <20140428114126.GK4963@mwanda> (raw)
In-Reply-To: <535E3CF7.9030609@bfs.de>

On Mon, Apr 28, 2014 at 01:35:19PM +0200, walter harms wrote:
> 
> 
> Am 28.04.2014 12:58, schrieb Dan Carpenter:
> > The obd_ioctl_getdata() function caps "data->ioc_len" at
> > OBD_MAX_IOCTL_BUFFER and then calls this obd_ioctl_is_invalid() to check
> > that the other values inside data are valid.
> > 
> > There are several lengths inside data but when they are added together
> > they must not be larger than "data->ioc_len".  The checks against
> > "(data->ioc_inllen1 > (1<<30))" are supposed to ensure that the addition
> > does not have an integer overflow.  But "(1<<30) * 4" actually can
> > overflow 32 bits, so the checks are insufficient.
> > 
> > I have changed it to "> OBD_MAX_IOCTL_BUFFER" instead.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: Updated the error messages as Walter Harms pointed out.
> > 
> > diff --git a/drivers/staging/lustre/lustre/include/lustre_lib.h b/drivers/staging/lustre/lustre/include/lustre_lib.h
> > index bdc9812..3c26bbd 100644
> > --- a/drivers/staging/lustre/lustre/include/lustre_lib.h
> > +++ b/drivers/staging/lustre/lustre/include/lustre_lib.h
> > @@ -179,24 +179,25 @@ static inline int obd_ioctl_packlen(struct obd_ioctl_data *data)
> >  
> >  static inline int obd_ioctl_is_invalid(struct obd_ioctl_data *data)
> >  {
> > -	if (data->ioc_len > (1<<30)) {
> > -		CERROR("OBD ioctl: ioc_len larger than 1<<30\n");
> > +	if (data->ioc_len > OBD_MAX_IOCTL_BUFFER) {
> > +		CERROR("OBD ioctl: ioc_len larger than %d\n",
> > +		       OBD_MAX_IOCTL_BUFFER);
> >  		return 1;
> >  	}
> > -	if (data->ioc_inllen1 > (1<<30)) {
> > -		CERROR("OBD ioctl: ioc_inllen1 larger than 1<<30\n");
> > +	if (data->ioc_inllen1 > OBD_MAX_IOCTL_BUFFER) {
> > +		CERROR("OBD ioctl: ioc_inllen1 larger than ioc_len\n");
> >  		return 1;
> >  	}
> 
> The error mention ioc_len the compare is OBD_MAX_IOCTL_BUFFER ?
> Is that intentional ?

Yep.

regards,
dan carpenter

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: walter harms <wharms@bfs.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Peng Tao <bergwolf@gmail.com>,
	Andreas Dilger <andreas.dilger@intel.com>,
	Oleg Drokin <oleg.drokin@intel.com>,
	"John L. Hammond" <john.hammond@intel.com>,
	Dmitry Eremin <dmitry.eremin@intel.com>,
	Jinshan Xiong <jinshan.xiong@intel.com>,
	Dulshani Gunawardhana <dulshani.gunawardhana89@gmail.com>,
	devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/2 v2] staging: lustre: integer overflow in obd_ioctl_is_invalid()
Date: Mon, 28 Apr 2014 14:41:26 +0300	[thread overview]
Message-ID: <20140428114126.GK4963@mwanda> (raw)
In-Reply-To: <535E3CF7.9030609@bfs.de>

On Mon, Apr 28, 2014 at 01:35:19PM +0200, walter harms wrote:
> 
> 
> Am 28.04.2014 12:58, schrieb Dan Carpenter:
> > The obd_ioctl_getdata() function caps "data->ioc_len" at
> > OBD_MAX_IOCTL_BUFFER and then calls this obd_ioctl_is_invalid() to check
> > that the other values inside data are valid.
> > 
> > There are several lengths inside data but when they are added together
> > they must not be larger than "data->ioc_len".  The checks against
> > "(data->ioc_inllen1 > (1<<30))" are supposed to ensure that the addition
> > does not have an integer overflow.  But "(1<<30) * 4" actually can
> > overflow 32 bits, so the checks are insufficient.
> > 
> > I have changed it to "> OBD_MAX_IOCTL_BUFFER" instead.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: Updated the error messages as Walter Harms pointed out.
> > 
> > diff --git a/drivers/staging/lustre/lustre/include/lustre_lib.h b/drivers/staging/lustre/lustre/include/lustre_lib.h
> > index bdc9812..3c26bbd 100644
> > --- a/drivers/staging/lustre/lustre/include/lustre_lib.h
> > +++ b/drivers/staging/lustre/lustre/include/lustre_lib.h
> > @@ -179,24 +179,25 @@ static inline int obd_ioctl_packlen(struct obd_ioctl_data *data)
> >  
> >  static inline int obd_ioctl_is_invalid(struct obd_ioctl_data *data)
> >  {
> > -	if (data->ioc_len > (1<<30)) {
> > -		CERROR("OBD ioctl: ioc_len larger than 1<<30\n");
> > +	if (data->ioc_len > OBD_MAX_IOCTL_BUFFER) {
> > +		CERROR("OBD ioctl: ioc_len larger than %d\n",
> > +		       OBD_MAX_IOCTL_BUFFER);
> >  		return 1;
> >  	}
> > -	if (data->ioc_inllen1 > (1<<30)) {
> > -		CERROR("OBD ioctl: ioc_inllen1 larger than 1<<30\n");
> > +	if (data->ioc_inllen1 > OBD_MAX_IOCTL_BUFFER) {
> > +		CERROR("OBD ioctl: ioc_inllen1 larger than ioc_len\n");
> >  		return 1;
> >  	}
> 
> The error mention ioc_len the compare is OBD_MAX_IOCTL_BUFFER ?
> Is that intentional ?

Yep.

regards,
dan carpenter

next prev parent reply	other threads:[~2014-04-28 11:41 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-24 21:49 [patch 2/2] staging: lustre: integer overflow in obd_ioctl_is_invalid() Dan Carpenter
2014-04-25  3:22 ` Peng Tao
2014-04-25  7:13 ` walter harms
2014-04-25  7:23 ` Dan Carpenter
2014-04-28 10:58   ` [patch 2/2 v2] " Dan Carpenter
2014-04-28 10:58     ` Dan Carpenter
2014-04-28 11:35     ` walter harms
2014-04-28 11:35       ` walter harms
2014-04-28 11:41       ` Dan Carpenter [this message]
2014-04-28 11:41         ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140428114126.GK4963@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=andreas.dilger@intel.com \
    --cc=bergwolf@gmail.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=dmitry.eremin@intel.com \
    --cc=dulshani.gunawardhana89@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jinshan.xiong@intel.com \
    --cc=john.hammond@intel.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg.drokin@intel.com \
    --cc=wharms@bfs.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.