From: Jeff Liu <jeff.liu@oracle.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
rds-devel@oss.oracle.com, netdev@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] RDS: fix an integer overflow check
Date: Sat, 13 Oct 2012 13:25:40 +0000 [thread overview]
Message-ID: <50796BD4.4000608@oracle.com> (raw)
In-Reply-To: <20121012073146.GA9543@elgon.mountain>
On 10/12/2012 03:31 PM, Dan Carpenter wrote:
> "len" is an int. We verified that len was postive already. Since
> PAGE_SIZE is specified as an unsigned long, the type it promoted to
> unsigned and the condition is never true.
>
> I'm not sure this check is actually needed. It might be that we could
> just remove it?
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/net/rds/info.c b/net/rds/info.c
> index 9a6b4f6..4d62618 100644
> --- a/net/rds/info.c
> +++ b/net/rds/info.c
> @@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
>
> /* check for all kinds of wrapping and the like */
> start = (unsigned long)optval;
> - if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
Looks the original thought is to check up len + (PAGE_SIZE - 1) < len to
avoid integer overflow, but lack of a "()".
However, we only have one add operation in this function which were
shown as following:
nr_pages = (PAGE_ALIGN(start + len) - (start & PAGE_MASK))
>> PAGE_SHIFT;
I also gone through the call chains, there is no other (start + len)
operations for all transport, I think it's safe to remove this check up
if so.
Thanks,
-Jeff
> + if (len < 0 || len > INT_MAX - (PAGE_SIZE - 1) || start + len < start) {
> ret = -EINVAL;
> goto out;
> }
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Liu <jeff.liu@oracle.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
rds-devel@oss.oracle.com, netdev@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] RDS: fix an integer overflow check
Date: Sat, 13 Oct 2012 21:25:40 +0800 [thread overview]
Message-ID: <50796BD4.4000608@oracle.com> (raw)
In-Reply-To: <20121012073146.GA9543@elgon.mountain>
On 10/12/2012 03:31 PM, Dan Carpenter wrote:
> "len" is an int. We verified that len was postive already. Since
> PAGE_SIZE is specified as an unsigned long, the type it promoted to
> unsigned and the condition is never true.
>
> I'm not sure this check is actually needed. It might be that we could
> just remove it?
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/net/rds/info.c b/net/rds/info.c
> index 9a6b4f6..4d62618 100644
> --- a/net/rds/info.c
> +++ b/net/rds/info.c
> @@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
>
> /* check for all kinds of wrapping and the like */
> start = (unsigned long)optval;
> - if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
Looks the original thought is to check up len + (PAGE_SIZE - 1) < len to
avoid integer overflow, but lack of a "()".
However, we only have one add operation in this function which were
shown as following:
nr_pages = (PAGE_ALIGN(start + len) - (start & PAGE_MASK))
>> PAGE_SHIFT;
I also gone through the call chains, there is no other (start + len)
operations for all transport, I think it's safe to remove this check up
if so.
Thanks,
-Jeff
> + if (len < 0 || len > INT_MAX - (PAGE_SIZE - 1) || start + len < start) {
> ret = -EINVAL;
> goto out;
> }
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-10-13 13:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-12 7:31 [patch] RDS: fix an integer overflow check Dan Carpenter
2012-10-12 7:31 ` Dan Carpenter
2012-10-13 13:25 ` Jeff Liu [this message]
2012-10-13 13:25 ` Jeff Liu
2012-10-13 13:45 ` [rds-devel] " Jeff Liu
2012-10-13 13:45 ` Jeff Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50796BD4.4000608@oracle.com \
--to=jeff.liu@oracle.com \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=kernel-janitors@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rds-devel@oss.oracle.com \
--cc=venkat.x.venkatsubra@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.