Re: [RFC PATCH v1 6/8] zram: avoid access beyond the zram device

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jerome Marchand <jmarchan@redhat.com>
To: Jiang Liu <liuj97@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Nitin Gupta <ngupta@vflare.org>, Minchan Kim <minchan@kernel.org>,
	Yijing Wang <wangyijing@huawei.com>,
	Jiang Liu <jiang.liu@huawei.com>,
	devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v1 6/8] zram: avoid access beyond the zram device
Date: Wed, 05 Jun 2013 10:52:48 +0200	[thread overview]
Message-ID: <51AEFC60.70107@redhat.com> (raw)
In-Reply-To: <51AE033D.8090302@gmail.com>

On 06/04/2013 05:09 PM, Jiang Liu wrote:
> On Tue 04 Jun 2013 09:15:43 PM CST, Jerome Marchand wrote:
>> On 06/03/2013 05:42 PM, Jiang Liu wrote:
>>> Function valid_io_request() should verify the entire request doesn't
>>> exceed the zram device, otherwise it will cause invalid memory access.
>>>
>>> Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
>>> ---
>>>  drivers/staging/zram/zram_drv.c | 4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>>> index 66cf28a..64b51b9 100644
>>> --- a/drivers/staging/zram/zram_drv.c
>>> +++ b/drivers/staging/zram/zram_drv.c
>>> @@ -428,6 +428,10 @@ static inline int valid_io_request(struct zram *zram, struct bio *bio)
>>>  		return 0;
>>>  	}
>>>
>>> +	if (unlikely((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>>> +		     zram->disksize))
>>> +		return 0;
>>> +
>>
>> This test make the first line of previous test redundant. Why not just
>> update it like the following:
>>
>> -		(bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
>> +		((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>> +			zram->disksize)) ||
>>
>>
>> Jerome
> Hi Jerome,
>          I think the test "bio->bi_sector >= (zram->disksize >> 
> SECTOR_SHIFT)" is still
> needed to protect "(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size" 
> from wrapping
> around.

Good point, but I don't see how this is going to catch all the possible
values that overflow. You still need an explicit overflow test
(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size < bio->bi_size), at
which point the first test would be useless.

Jerome

> Regards!
> Gerry
> 
>>
>>>  	/* I/O request is valid */
>>>  	return 1;
>>>  }
>>>
>>
> 
>

next prev parent reply	other threads:[~2013-06-05  8:53 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-03 15:42 [RFC PATCH v1 0/8] small bugfixes and code improvements for zram Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 1/8] zram: simplify and optimize zram_to_dev() Jiang Liu
2013-06-04 13:09   ` Jerome Marchand
2013-06-04 14:31     ` Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 2/8] zram: avoid invalid memory access in zram_exit() Jiang Liu
2013-06-04  9:03   ` Minchan Kim
2013-06-04 14:27     ` Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 3/8] zram: use zram->lock to protect zram_free_page() in swap free notify path Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 4/8] zram: destroy all devices on error recovery path in zram_init() Jiang Liu
2013-06-04  8:49   ` Dan Carpenter
2013-06-04 14:57     ` Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 5/8] zram: avoid double free in error recovery path of zram_bvec_write() Jiang Liu
2013-06-04 13:27   ` Jerome Marchand
2013-06-03 15:42 ` [RFC PATCH v1 6/8] zram: avoid access beyond the zram device Jiang Liu
2013-06-04 13:15   ` Jerome Marchand
2013-06-04 15:09     ` Jiang Liu
2013-06-05  8:52       ` Jerome Marchand [this message]
2013-06-03 15:42 ` [RFC PATCH v1 7/8] zram: optimize memory operations with clear_page()/copy_page() Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 8/8] zram: protect sysfs handler from invalid memory access Jiang Liu
2013-06-04  9:00 ` [RFC PATCH v1 0/8] small bugfixes and code improvements for zram Minchan Kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51AEFC60.70107@redhat.com \
    --to=jmarchan@redhat.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jiang.liu@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liuj97@gmail.com \
    --cc=minchan@kernel.org \
    --cc=ngupta@vflare.org \
    --cc=wangyijing@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.