[Ocfs2-devel] [PATCH] ocfs2: Fix memory overflow in cow_by_page.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tao Ma <tao.ma@oracle.com>
To: ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH] ocfs2: Fix memory overflow in cow_by_page.
Date: Tue, 26 Jan 2010 11:30:19 +0800	[thread overview]
Message-ID: <4B5E61CB.2090409@oracle.com> (raw)
In-Reply-To: <20100126031956.GC15982@mail.oracle.com>



Joel Becker wrote:
> On Thu, Jan 21, 2010 at 02:59:26PM +0800, Tao Ma wrote:
>> In ocfs2_duplicate_clusters_by_page, we calculate map_end
>> by shifting page_index. But actually in case we meet with
>> a large offset(say in a i686 box, poff_t is only 32 bits
>> and page_index=2056240), we will overflow. So change it
>> by adding PAGE_CACHE_SIZE to offset.
>>
>> Signed-off-by: Tao Ma <tao.ma@oracle.com>
>> ---
>>  fs/ocfs2/refcounttree.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
>> index 74db2be..6db863d 100644
>> --- a/fs/ocfs2/refcounttree.c
>> +++ b/fs/ocfs2/refcounttree.c
>> @@ -2945,7 +2945,7 @@ static int ocfs2_duplicate_clusters_by_page(handle_t *handle,
>>  
>>  	while (offset < end) {
>>  		page_index = offset >> PAGE_CACHE_SHIFT;
>> -		map_end = (page_index + 1) << PAGE_CACHE_SHIFT;
>> +		map_end = offset + PAGE_CACHE_SIZE;
> 
> 	First, we can't be computing by offset, because map_end is
> supposed to be page bounded, right?  Also, what if we have an offset
> that is the last page possible?  Won't that wrap as well, setting
> map_end to 0?
> 	Why aren't we computing map_end like we compute end, as a loff_t
> value?
> 
>   		page_index = offset >> PAGE_CACHE_SHIFT;
> - 		map_end = (page_index + 1) << PAGE_CACHE_SHIFT;
> + 		map_end = ((loff_t)page_index + 1) << PAGE_CACHE_SHIFT;
> 
>   		if (map_end > end)
>   			map_end = end;
> 
> The map_end>end check will catch anything too big.
oh, you are right.
I only considered the problem of overflow, but forget the original 
usage. Sorry.

Regards,
Tao

next prev parent reply	other threads:[~2010-01-26  3:30 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-21  6:59 [Ocfs2-devel] [PATCH] ocfs2: Fix memory overflow in cow_by_page Tao Ma
2010-01-22  2:54 ` Sunil Mushran
2010-01-26  3:19 ` Joel Becker
2010-01-26  3:30   ` Tao Ma [this message]
2010-01-26  4:24   ` Tao Ma

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B5E61CB.2090409@oracle.com \
    --to=tao.ma@oracle.com \
    --cc=ocfs2-devel@oss.oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.