From: Alex Elder <elder@dreamhost.com>
To: Xi Wang <xi.wang@gmail.com>
Cc: ceph-devel@vger.kernel.org, Yehuda Sadeh <yehuda@hq.newdream.net>,
Sage Weil <sage@newdream.net>
Subject: Re: [PATCH] rbd: fix integer overflow in rbd_header_from_disk()
Date: Wed, 18 Apr 2012 09:21:46 -0500 [thread overview]
Message-ID: <4F8ECDFA.70209@dreamhost.com> (raw)
In-Reply-To: <1334008335-8377-1-git-send-email-xi.wang@gmail.com>
On 04/09/2012 04:52 PM, Xi Wang wrote:
> ondisk->snap_count is read from disk via rbd_req_sync_read() and thus
> needs validation. Otherwise, a bogus `snap_count' could overflow the
> kmalloc() size, leading to memory corruption.
>
> Also use `u32' consistently for `snap_count'.
This looks good, however I have changed it to use UINT_MAX
rather than ULONG_MAX, because on some architectures size_t
(__kernel_size_t) is defined as type (unsigned int). It
is the more conservative value, and even on architectures
where __BITS_PER_LONG is 64, it still offers a sane upper
bound on the number of snapshots for a rbd device.
Reviewed-by: Alex Elder <elder@dreamhost.com>
> Signed-off-by: Xi Wang<xi.wang@gmail.com>
> ---
> drivers/block/rbd.c | 12 +++++++-----
> 1 files changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
> index 013c7a5..d47f7e6 100644
> --- a/drivers/block/rbd.c
> +++ b/drivers/block/rbd.c
> @@ -487,18 +487,20 @@ static void rbd_coll_release(struct kref *kref)
> */
> static int rbd_header_from_disk(struct rbd_image_header *header,
> struct rbd_image_header_ondisk *ondisk,
> - int allocated_snaps,
> + u32 allocated_snaps,
> gfp_t gfp_flags)
> {
> - int i;
> - u32 snap_count;
> + u32 i, snap_count;
>
> if (memcmp(ondisk, RBD_HEADER_TEXT, sizeof(RBD_HEADER_TEXT)))
> return -ENXIO;
>
> snap_count = le32_to_cpu(ondisk->snap_count);
> + if (snap_count> (ULONG_MAX - sizeof(struct ceph_snap_context))
> + / sizeof(*ondisk))
> + return -EINVAL;
> header->snapc = kmalloc(sizeof(struct ceph_snap_context) +
> - snap_count * sizeof (*ondisk),
> + snap_count * sizeof(*ondisk),
> gfp_flags);
> if (!header->snapc)
> return -ENOMEM;
> @@ -1592,7 +1594,7 @@ static int rbd_read_header(struct rbd_device *rbd_dev,
> {
> ssize_t rc;
> struct rbd_image_header_ondisk *dh;
> - int snap_count = 0;
> + u32 snap_count = 0;
> u64 ver;
> size_t len;
>
next prev parent reply other threads:[~2012-04-18 14:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-09 21:52 [PATCH] rbd: fix integer overflow in rbd_header_from_disk() Xi Wang
2012-04-18 14:21 ` Alex Elder [this message]
2012-04-18 18:09 ` Xi Wang
2012-04-18 18:47 ` Alex Elder
2012-04-18 23:59 ` Xi Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F8ECDFA.70209@dreamhost.com \
--to=elder@dreamhost.com \
--cc=ceph-devel@vger.kernel.org \
--cc=sage@newdream.net \
--cc=xi.wang@gmail.com \
--cc=yehuda@hq.newdream.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.