Re: [PATCH v3 05/10] zram: avoid access beyond the zram device

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jerome Marchand <jmarchan@redhat.com>
To: Minchan Kim <minchan@kernel.org>
Cc: Jiang Liu <liuj97@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Nitin Gupta <ngupta@vflare.org>, Jiang Liu <jiang.liu@huawei.com>,
	devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH v3 05/10] zram: avoid access beyond the zram device
Date: Fri, 07 Jun 2013 11:40:26 +0200	[thread overview]
Message-ID: <51B1AA8A.4010005@redhat.com> (raw)
In-Reply-To: <20130607080945.GD22516@blaptop>

On 06/07/2013 10:09 AM, Minchan Kim wrote:
> On Fri, Jun 07, 2013 at 12:07:26AM +0800, Jiang Liu wrote:
>> Function valid_io_request() should verify the entire request are within
>> the zram device address range. Otherwise it may cause invalid memory
>> access when accessing/modifying zram->meta->table[index] because the
>> 'index' is out of range. Then it may access non-exist memory, randomly
>> modify memory belong to other subsystems, which is hard to track down.
>>
>> Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
>> Cc: stable@vger.kernel.org
>> ---
>>  drivers/staging/zram/zram_drv.c | 17 ++++++++++++-----
>>  1 file changed, 12 insertions(+), 5 deletions(-)
>>
>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>> index 27ab824..9289217 100644
>> --- a/drivers/staging/zram/zram_drv.c
>> +++ b/drivers/staging/zram/zram_drv.c
>> @@ -420,13 +420,20 @@ out:
>>   */
>>  static inline int valid_io_request(struct zram *zram, struct bio *bio)
>>  {
>> -	if (unlikely(
>> -		(bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
>> -		(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)) ||
>> -		(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) {
>> +	u64 start, end, bound;
>> +	
>> +	/* unaligned request */
>> +	if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)))
>> +		return 0;
>> +	if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))
>> +		return 0;
>>  
>> +	start = bio->bi_sector;
>> +	end = start + (bio->bi_size >> SECTOR_SHIFT);
>> +	bound = zram->disksize >> SECTOR_SHIFT;
>> +	/* out of range range */
>> +	if (unlikely(start >= bound || end >= bound || start > end))
> 
>         if (end >= bound || start > end) isn't enough?

I shall think so.

Jerome

> 
>>  		return 0;
>> -	}
>>  
>>  	/* I/O request is valid */
>>  	return 1;
>> -- 
>> 1.8.1.2
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/
>

next prev parent reply	other threads:[~2013-06-07  9:40 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-06 16:07 [PATCH v2 00/10] Bugfixes and minor improvements for zram Jiang Liu
2013-06-06 16:07 ` [PATCH v3 01/10] zram: avoid invalid memory access in zram_exit() Jiang Liu
2013-06-07  7:58   ` Minchan Kim
2013-06-07  9:29   ` Jerome Marchand
2013-06-06 16:07 ` [PATCH v3 02/10] zram: use zram->lock to protect zram_free_page() in swap free notify path Jiang Liu
2013-06-07  8:05   ` Minchan Kim
2013-06-07  9:32   ` Jerome Marchand
2013-06-06 16:07 ` [PATCH v3 03/10] zram: destroy all devices on error recovery path in zram_init() Jiang Liu
2013-06-06 16:07 ` [PATCH v3 04/10] zram: avoid double free in function zram_bvec_write() Jiang Liu
2013-06-07  8:06   ` Minchan Kim
2013-06-06 16:07 ` [PATCH v3 05/10] zram: avoid access beyond the zram device Jiang Liu
2013-06-07  8:09   ` Minchan Kim
2013-06-07  9:40     ` Jerome Marchand [this message]
2013-06-07  9:43       ` Jiang Liu
2013-06-06 16:07 ` [PATCH v3 06/10] zram: protect sysfs handler from invalid memory access Jiang Liu
2013-06-07  9:41   ` Jerome Marchand
2013-06-06 16:07 ` [PATCH v3 07/10] zram: simplify and optimize dev_to_zram() Jiang Liu
2013-06-06 16:07 ` [PATCH v3 08/10] zram: kill unused zram_get_num_devices() Jiang Liu
2013-06-06 16:07 ` [PATCH v3 09/10] zram: optimize memory operations with clear_page()/copy_page() Jiang Liu
2013-06-06 16:07 ` [PATCH v3 10/10] zram: use atomic64_xxx() to replace zram_stat64_xxx() Jiang Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51B1AA8A.4010005@redhat.com \
    --to=jmarchan@redhat.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jiang.liu@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liuj97@gmail.com \
    --cc=minchan@kernel.org \
    --cc=ngupta@vflare.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.