From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: [patch] staging: lustre: potential underflow in mdc_iocontrol()
Date: Tue, 06 Jan 2015 09:57:08 +0000 [thread overview]
Message-ID: <20150106095708.GB8698@mwanda> (raw)
Smatch complains that "data->ioc_plen2" is a user controlled value and,
since we cast to signed int, the limit check can underflow. It's not
very serious because probably the copy_to_user() would return -EFAULT
on every arch that matters instead of creating an info leak. Also I
haven't followed it through to see if the value is really user
controlled.
But definitely it would be safer to cast to unsigned so let's do that.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/lustre/lustre/mdc/mdc_request.c b/drivers/staging/lustre/lustre/mdc/mdc_request.c
index 3b0f245..05d05ce 100644
--- a/drivers/staging/lustre/lustre/mdc/mdc_request.c
+++ b/drivers/staging/lustre/lustre/mdc/mdc_request.c
@@ -1908,8 +1908,8 @@ static int mdc_iocontrol(unsigned int cmd, struct obd_export *exp, int len,
/* copy UUID */
if (copy_to_user(data->ioc_pbuf2, obd2cli_tgt(obd),
- min((int) data->ioc_plen2,
- (int) sizeof(struct obd_uuid)))) {
+ min_t(size_t, data->ioc_plen2,
+ sizeof(struct obd_uuid)))) {
rc = -EFAULT;
goto out;
}
@@ -1921,8 +1921,8 @@ static int mdc_iocontrol(unsigned int cmd, struct obd_export *exp, int len,
goto out;
if (copy_to_user(data->ioc_pbuf1, &stat_buf,
- min((int) data->ioc_plen1,
- (int) sizeof(stat_buf)))) {
+ min_t(size_t, data->ioc_plen1,
+ sizeof(stat_buf)))) {
rc = -EFAULT;
goto out;
}
next reply other threads:[~2015-01-06 9:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 9:57 Dan Carpenter [this message]
2015-10-29 13:51 ` [patch] staging: lustre: potential underflow in libcfs_kkuc_group_add() Dan Carpenter
2015-10-29 13:51 ` [lustre-devel] " Dan Carpenter
2015-11-03 23:28 ` Simmons, James A.
2015-11-03 23:28 ` [lustre-devel] " Simmons, James A.
2015-11-03 23:49 ` Frank Zago
2015-11-03 23:49 ` [lustre-devel] " Frank Zago
2015-11-04 18:25 ` Dan Carpenter
2015-11-04 18:25 ` [lustre-devel] " Dan Carpenter
2015-11-04 19:00 ` Simmons, James A.
2015-11-04 19:00 ` [lustre-devel] " Simmons, James A.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150106095708.GB8698@mwanda \
--to=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.