From: walter harms <wharms@bfs.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Peng Tao <bergwolf@gmail.com>,
Andreas Dilger <andreas.dilger@intel.com>,
Oleg Drokin <oleg.drokin@intel.com>,
"John L. Hammond" <john.hammond@intel.com>,
Dmitry Eremin <dmitry.eremin@intel.com>,
Jinshan Xiong <jinshan.xiong@intel.com>,
Dulshani Gunawardhana <dulshani.gunawardhana89@gmail.com>,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/2 v2] staging: lustre: integer overflow in obd_ioctl_is_invalid()
Date: Mon, 28 Apr 2014 11:35:19 +0000 [thread overview]
Message-ID: <535E3CF7.9030609@bfs.de> (raw)
In-Reply-To: <20140428105858.GA31925@mwanda>
Am 28.04.2014 12:58, schrieb Dan Carpenter:
> The obd_ioctl_getdata() function caps "data->ioc_len" at
> OBD_MAX_IOCTL_BUFFER and then calls this obd_ioctl_is_invalid() to check
> that the other values inside data are valid.
>
> There are several lengths inside data but when they are added together
> they must not be larger than "data->ioc_len". The checks against
> "(data->ioc_inllen1 > (1<<30))" are supposed to ensure that the addition
> does not have an integer overflow. But "(1<<30) * 4" actually can
> overflow 32 bits, so the checks are insufficient.
>
> I have changed it to "> OBD_MAX_IOCTL_BUFFER" instead.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: Updated the error messages as Walter Harms pointed out.
>
> diff --git a/drivers/staging/lustre/lustre/include/lustre_lib.h b/drivers/staging/lustre/lustre/include/lustre_lib.h
> index bdc9812..3c26bbd 100644
> --- a/drivers/staging/lustre/lustre/include/lustre_lib.h
> +++ b/drivers/staging/lustre/lustre/include/lustre_lib.h
> @@ -179,24 +179,25 @@ static inline int obd_ioctl_packlen(struct obd_ioctl_data *data)
>
> static inline int obd_ioctl_is_invalid(struct obd_ioctl_data *data)
> {
> - if (data->ioc_len > (1<<30)) {
> - CERROR("OBD ioctl: ioc_len larger than 1<<30\n");
> + if (data->ioc_len > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_len larger than %d\n",
> + OBD_MAX_IOCTL_BUFFER);
> return 1;
> }
> - if (data->ioc_inllen1 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen1 larger than 1<<30\n");
> + if (data->ioc_inllen1 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen1 larger than ioc_len\n");
> return 1;
> }
The error mention ioc_len the compare is OBD_MAX_IOCTL_BUFFER ?
Is that intentional ?
re,
wh
> - if (data->ioc_inllen2 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen2 larger than 1<<30\n");
> + if (data->ioc_inllen2 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen2 larger than ioc_len\n");
> return 1;
> }
> - if (data->ioc_inllen3 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen3 larger than 1<<30\n");
> + if (data->ioc_inllen3 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen3 larger than ioc_len\n");
> return 1;
> }
> - if (data->ioc_inllen4 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen4 larger than 1<<30\n");
> + if (data->ioc_inllen4 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen4 larger than ioc_len\n");
> return 1;
> }
> if (data->ioc_inlbuf1 && !data->ioc_inllen1) {
>
WARNING: multiple messages have this Message-ID (diff)
From: walter harms <wharms@bfs.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Peng Tao <bergwolf@gmail.com>,
Andreas Dilger <andreas.dilger@intel.com>,
Oleg Drokin <oleg.drokin@intel.com>,
"John L. Hammond" <john.hammond@intel.com>,
Dmitry Eremin <dmitry.eremin@intel.com>,
Jinshan Xiong <jinshan.xiong@intel.com>,
Dulshani Gunawardhana <dulshani.gunawardhana89@gmail.com>,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/2 v2] staging: lustre: integer overflow in obd_ioctl_is_invalid()
Date: Mon, 28 Apr 2014 13:35:19 +0200 [thread overview]
Message-ID: <535E3CF7.9030609@bfs.de> (raw)
In-Reply-To: <20140428105858.GA31925@mwanda>
Am 28.04.2014 12:58, schrieb Dan Carpenter:
> The obd_ioctl_getdata() function caps "data->ioc_len" at
> OBD_MAX_IOCTL_BUFFER and then calls this obd_ioctl_is_invalid() to check
> that the other values inside data are valid.
>
> There are several lengths inside data but when they are added together
> they must not be larger than "data->ioc_len". The checks against
> "(data->ioc_inllen1 > (1<<30))" are supposed to ensure that the addition
> does not have an integer overflow. But "(1<<30) * 4" actually can
> overflow 32 bits, so the checks are insufficient.
>
> I have changed it to "> OBD_MAX_IOCTL_BUFFER" instead.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: Updated the error messages as Walter Harms pointed out.
>
> diff --git a/drivers/staging/lustre/lustre/include/lustre_lib.h b/drivers/staging/lustre/lustre/include/lustre_lib.h
> index bdc9812..3c26bbd 100644
> --- a/drivers/staging/lustre/lustre/include/lustre_lib.h
> +++ b/drivers/staging/lustre/lustre/include/lustre_lib.h
> @@ -179,24 +179,25 @@ static inline int obd_ioctl_packlen(struct obd_ioctl_data *data)
>
> static inline int obd_ioctl_is_invalid(struct obd_ioctl_data *data)
> {
> - if (data->ioc_len > (1<<30)) {
> - CERROR("OBD ioctl: ioc_len larger than 1<<30\n");
> + if (data->ioc_len > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_len larger than %d\n",
> + OBD_MAX_IOCTL_BUFFER);
> return 1;
> }
> - if (data->ioc_inllen1 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen1 larger than 1<<30\n");
> + if (data->ioc_inllen1 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen1 larger than ioc_len\n");
> return 1;
> }
The error mention ioc_len the compare is OBD_MAX_IOCTL_BUFFER ?
Is that intentional ?
re,
wh
> - if (data->ioc_inllen2 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen2 larger than 1<<30\n");
> + if (data->ioc_inllen2 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen2 larger than ioc_len\n");
> return 1;
> }
> - if (data->ioc_inllen3 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen3 larger than 1<<30\n");
> + if (data->ioc_inllen3 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen3 larger than ioc_len\n");
> return 1;
> }
> - if (data->ioc_inllen4 > (1<<30)) {
> - CERROR("OBD ioctl: ioc_inllen4 larger than 1<<30\n");
> + if (data->ioc_inllen4 > OBD_MAX_IOCTL_BUFFER) {
> + CERROR("OBD ioctl: ioc_inllen4 larger than ioc_len\n");
> return 1;
> }
> if (data->ioc_inlbuf1 && !data->ioc_inllen1) {
>
next prev parent reply other threads:[~2014-04-28 11:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-24 21:49 [patch 2/2] staging: lustre: integer overflow in obd_ioctl_is_invalid() Dan Carpenter
2014-04-25 3:22 ` Peng Tao
2014-04-25 7:13 ` walter harms
2014-04-25 7:23 ` Dan Carpenter
2014-04-28 10:58 ` [patch 2/2 v2] " Dan Carpenter
2014-04-28 10:58 ` Dan Carpenter
2014-04-28 11:35 ` walter harms [this message]
2014-04-28 11:35 ` walter harms
2014-04-28 11:41 ` Dan Carpenter
2014-04-28 11:41 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535E3CF7.9030609@bfs.de \
--to=wharms@bfs.de \
--cc=andreas.dilger@intel.com \
--cc=bergwolf@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=dmitry.eremin@intel.com \
--cc=dulshani.gunawardhana89@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jinshan.xiong@intel.com \
--cc=john.hammond@intel.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg.drokin@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.