All of lore.kernel.org
 help / color / mirror / Atom feed
From: Matthew Bobrowski <mbobrowski@mbobrowski.org>
To: Kees Cook <keescook@chromium.org>
Cc: Jan Kara <jack@suse.cz>, Theodore Ts'o <tytso@mit.edu>,
	Ritesh Harjani <riteshh@linux.ibm.com>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	linux-next@vger.kernel.org
Subject: Re: Coverity: ext4_iomap_alloc(): Integer handling issues
Date: Wed, 13 Nov 2019 08:28:47 +1100	[thread overview]
Message-ID: <20191112212846.GA29863@bobrowski> (raw)
In-Reply-To: <201911121256.647DA73508@keescook>

On Tue, Nov 12, 2019 at 12:56:45PM -0800, Kees Cook wrote:
> On Tue, Nov 12, 2019 at 12:00:04PM +0100, Jan Kara wrote:
> > On Tue 12-11-19 18:22:41, Matthew Bobrowski wrote:
> > > On Mon, Nov 11, 2019 at 05:35:44PM -0800, coverity-bot wrote:
> > > > This is an experimental automated report about issues detected by Coverity
> > > > from a scan of next-20191108 as part of the linux-next weekly scan project:
> > > > https://scan.coverity.com/projects/linux-next-weekly-scan
> > > > 
> > > > You're getting this email because you were associated with the identified
> > > > lines of code (noted below) that were touched by recent commits:
> > > > 
> > > > 378f32bab371 ("ext4: introduce direct I/O write using iomap infrastructure")
> > > > 
> > > > Coverity reported the following:
> > > > 
> > > > *** CID 1487841:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> > > > /fs/ext4/inode.c: 3388 in ext4_iomap_alloc()
> > > > 3382     	/*
> > > > 3383     	 * We use i_size instead of i_disksize here because delalloc writeback
> > > > 3384     	 * can complete at any point during the I/O and subsequently push the
> > > > 3385     	 * i_disksize out to i_size. This could be beyond where direct I/O is
> > > > 3386     	 * happening and thus expose allocated blocks to direct I/O reads.
> > > > 3387     	 */
> > > > vvv     CID 1487841:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> > > > vvv     Potentially overflowing expression "1 << blkbits" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "loff_t" (64 bits, signed).
> > > > 3388     	else if ((map->m_lblk * (1 << blkbits)) >= i_size_read(inode))
> > > > 3389     		m_flags = EXT4_GET_BLOCKS_CREATE;
> > > > 3390     	else if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
> > > > 3391     		m_flags = EXT4_GET_BLOCKS_IO_CREATE_EXT;
> > > 
> > > In the event of an overflow in this specific context, I don't think it
> > > would matter too much to be perfectly honest. If 'blkbits' were to
> > > actually ever push out the signed integer to a value that couldn't be
> > > represented by this data type, I would expect the resulting wrapping
> > > behaviour to _only_ affect how filesystem blocks are allocated. In
> > > that case, I/O workloads would behave alot differently, and at that
> > > point I would hope that our filesystem related testing infrastructure
> > > would pick this up before allowing anything to leak out into the
> > > wild...
> > > 
> > > Unless my trail of thought is wrong? Happy to be corrected here and
> > > educated on this.
> > 
> > Fully agreed. blkbits is never expected to be larger than 16 in this code.
> > So this is false positive.
> 
> Thanks for looking into this!

No problem!
 
> Is it worth changing the type to u8 or something?

'blkbits' in this case is already of data type u8, so this would
effectively be a no-op. :)

/M

  reply	other threads:[~2019-11-12 21:28 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-12  1:35 Coverity: ext4_iomap_alloc(): Integer handling issues coverity-bot
2019-11-12  7:22 ` Matthew Bobrowski
2019-11-12 11:00   ` Jan Kara
2019-11-12 20:56     ` Kees Cook
2019-11-12 21:28       ` Matthew Bobrowski [this message]
2019-11-12 22:17         ` Kees Cook
2019-11-13  4:38           ` Matthew Bobrowski
2019-11-13  9:37           ` Jan Kara
2019-11-13 18:38             ` Kees Cook
2019-11-14  8:58               ` Jan Kara
2019-11-14 18:43                 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191112212846.GA29863@bobrowski \
    --to=mbobrowski@mbobrowski.org \
    --cc=gustavo@embeddedor.com \
    --cc=jack@suse.cz \
    --cc=keescook@chromium.org \
    --cc=linux-next@vger.kernel.org \
    --cc=riteshh@linux.ibm.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.