From: Baokun Li <libaokun@linux.alibaba.com>
To: sashiko@lists.linux.dev
Cc: tytso@mit.edu
Subject: Re: [PATCH RFC 01/17] lib/crc: add crc32c_flip_range() for incremental CRC update
Date: Sun, 10 May 2026 17:44:27 +0800 [thread overview]
Message-ID: <2763fc46-3342-48ac-bc57-3a46efd84844@linux.alibaba.com> (raw)
In-Reply-To: <20260508204019.9E5A5C2BCB0@smtp.kernel.org>
在 2026/5/9 04:40, sashiko-bot@kernel.org 写道:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Integer overflow in `bit_off + nbits` bypasses bounds checks, leading to out-of-bounds kernel memory reads.
> --
>
> commit 23c49b9c6860184b707e1c64499ef573ebaa8332
> Author: Baokun Li <libaokun@linux.alibaba.com>
>
> lib/crc: add crc32c_flip_range() for incremental CRC update
>
> This commit introduces crc32c_flip_range() to compute a CRC32c delta for
> flipped bits using precomputed GF(2) shift matrices. It gives O(log N)
> complexity for incremental updates, which is useful for situations like
> bitmap updates in filesystems.
>
>> diff --git a/lib/crc/crc32c-incr.c b/lib/crc/crc32c-incr.c
>> new file mode 100644
>> index 0000000000000..b6258231cc0df
>> --- /dev/null
>> +++ b/lib/crc/crc32c-incr.c
> [ ... ]
>> +u32 crc32c_flip_range(u32 old_crc, u32 total_bits,
>> + u32 bit_off, u32 nbits)
>> +{
>> + u32 delta, trailing_bits;
>> +
>> + if (!nbits)
>> + return old_crc;
>> +
>> + /*
>> + * total_bits must not exceed 2^INCR_MAX_ORDER bits (64KB).
>> + * bit_off + nbits must not exceed total_bits.
>> + */
>> + if (WARN_ON_ONCE(total_bits > (1UL << INCR_MAX_ORDER)))
>> + return old_crc;
>> + if (WARN_ON_ONCE(bit_off + nbits > total_bits))
> Could this addition overflow since both bit_off and nbits are u32?
>
> If an external caller provides a very large nbits (such as 0xFFFFFFFF) and
> a small bit_off, their sum wraps around to a small value, which passes the
> greater-than total_bits check.
>
> If this occurs, the function proceeds to call crc32c_incr_get_ones_delta()
> with the large nbits value:
>
>> + return old_crc;
>> +
>> + trailing_bits = total_bits - (bit_off + nbits);
>> +
>> + /* 1. Calculate CRC of the flip-mask (all 1s of length nbits) */
>> + delta = crc32c_incr_get_ones_delta(nbits);
> Is it possible this leads to an out-of-bounds read?
>
> Looking at crc32c_incr_get_ones_delta(), passing a large nbits like
> 0xFFFFFFFF results in __fls(num_bits) evaluating to 31. This would be used
> to access indexes in crc32c_incr_ones_lookup[] (size 20) and
> crc32c_incr_nibble_table[] (size 19), reading past the end of the arrays.
>
> A bounds check like nbits > total_bits || bit_off > total_bits - nbits
> might prevent this overflow.
>
>
Indeed, I will fix this issue in the next version.
Thanks,
Baokun
next prev parent reply other threads:[~2026-05-10 9:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 12:15 [PATCH RFC 00/17] ext4/lib-crc: LBS performance part 1 - incremental CRC32c for bitmap checksums Baokun Li
2026-05-08 12:15 ` [PATCH RFC 01/17] lib/crc: add crc32c_flip_range() for incremental CRC update Baokun Li
[not found] ` <20260508204019.9E5A5C2BCB0@smtp.kernel.org>
2026-05-10 9:44 ` Baokun Li [this message]
2026-05-14 3:52 ` Eric Biggers
2026-05-08 12:15 ` [PATCH RFC 02/17] lib/crc: crc_kunit: add kunit test for crc32c_flip_range() Baokun Li
2026-05-08 12:15 ` [PATCH RFC 03/17] lib/crc: crc_kunit: add benchmark " Baokun Li
[not found] ` <20260508205415.8B843C2BCB0@smtp.kernel.org>
2026-05-10 10:03 ` Baokun Li
2026-05-08 12:15 ` [PATCH RFC 04/17] ext4: fix incorrect block bitmap free clusters update on metadata overlap Baokun Li
[not found] ` <20260508211732.E50B4C2BCB0@smtp.kernel.org>
2026-05-11 6:17 ` Baokun Li
2026-05-08 12:15 ` [PATCH RFC 05/17] ext4: extract block bitmap checksum get and store helpers Baokun Li
2026-05-08 12:15 ` [PATCH RFC 06/17] ext4: add ext4_block_bitmap_csum_set_range() for incremental checksum update Baokun Li
[not found] ` <20260508214640.B3A74C2BCB0@smtp.kernel.org>
2026-05-11 8:09 ` Baokun Li
2026-05-11 8:31 ` Baokun Li
2026-05-08 12:15 ` [PATCH RFC 07/17] ext4: use fast incremental CRC update in ext4_mb_mark_context() Baokun Li
[not found] ` <20260508223130.20E7AC2BCB0@smtp.kernel.org>
2026-05-11 8:15 ` Baokun Li
2026-05-08 12:15 ` [PATCH RFC 08/17] ext4: extract inode bitmap checksum get and store helpers Baokun Li
2026-05-08 12:15 ` [PATCH RFC 09/17] ext4: add ext4_inode_bitmap_csum_set_fast() for incremental checksum update Baokun Li
[not found] ` <20260508225807.71D9FC2BCB0@smtp.kernel.org>
2026-05-11 8:35 ` Baokun Li
2026-05-08 12:15 ` [PATCH RFC 10/17] ext4: use fast incremental CRC update in ext4_free_inode() Baokun Li
2026-05-08 12:15 ` [PATCH RFC 11/17] ext4: fix missing bg_used_dirs_count update in fast commit replay Baokun Li
2026-05-08 12:15 ` [PATCH RFC 12/17] ext4: factor out ext4_might_init_block_bitmap() helper Baokun Li
2026-05-08 12:15 ` [PATCH RFC 13/17] ext4: use fast incremental CRC update in ext4_mark_inode_used() Baokun Li
2026-05-08 12:15 ` [PATCH RFC 14/17] ext4: rename ino to bit in __ext4_new_inode() Baokun Li
2026-05-08 12:15 ` [PATCH RFC 15/17] ext4: use fast incremental CRC update " Baokun Li
2026-05-08 12:15 ` [PATCH RFC 16/17] ext4: extract ext4_update_inode_group_desc() to reduce duplication Baokun Li
2026-05-08 12:15 ` [PATCH RFC 17/17] ext4: add ext4_get_flex_group() helper to simplify flex group lookups Baokun Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2763fc46-3342-48ac-bc57-3a46efd84844@linux.alibaba.com \
--to=libaokun@linux.alibaba.com \
--cc=sashiko@lists.linux.dev \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.