From: Sasha Levin <sasha.levin@oracle.com>
To: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Hugh Dickins <hughd@google.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: [PATCH] mm: shmem: avoid overflowing in shmem_fallocate
Date: Wed, 03 Dec 2014 21:33:43 -0500 [thread overview]
Message-ID: <547FC807.6040000@oracle.com> (raw)
In-Reply-To: <20141204015120.GA2522@hori1.linux.bs1.fc.nec.co.jp>
On 12/03/2014 08:51 PM, Naoya Horiguchi wrote:
> On Wed, Dec 03, 2014 at 07:24:07PM -0500, Sasha Levin wrote:
>> > "offset + len" has the potential of overflowing. Validate this user input
>> > first to avoid undefined behaviour.
>> >
>> > Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
>> > ---
>> > mm/shmem.c | 3 +++
>> > 1 file changed, 3 insertions(+)
>> >
>> > diff --git a/mm/shmem.c b/mm/shmem.c
>> > index 185836b..5a0e344 100644
>> > --- a/mm/shmem.c
>> > +++ b/mm/shmem.c
>> > @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
>> > }
>> >
>> > /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
>> > + error = -EOVERFLOW;
>> > + if ((u64)len + offset < (u64)len)
>> > + goto out;
> Hi Sasha,
>
> It seems to me that we already do some overflow check in common path,
> do_fallocate():
>
> /* Check for wrap through zero too */
> if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
> return -EFBIG;
>
> Do we really need another check?
It looks like we actually need to fix this snippet you pasted rather than shmem_fallocate().
We can't check for ((offset + len) < 0) since both offset and length are signed integers. I'll
send a patch to deal with that rather that this shmem specific one. Thanks!
Thanks,
Sasha
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sasha.levin@oracle.com>
To: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Hugh Dickins <hughd@google.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: [PATCH] mm: shmem: avoid overflowing in shmem_fallocate
Date: Wed, 03 Dec 2014 21:33:43 -0500 [thread overview]
Message-ID: <547FC807.6040000@oracle.com> (raw)
In-Reply-To: <20141204015120.GA2522@hori1.linux.bs1.fc.nec.co.jp>
On 12/03/2014 08:51 PM, Naoya Horiguchi wrote:
> On Wed, Dec 03, 2014 at 07:24:07PM -0500, Sasha Levin wrote:
>> > "offset + len" has the potential of overflowing. Validate this user input
>> > first to avoid undefined behaviour.
>> >
>> > Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
>> > ---
>> > mm/shmem.c | 3 +++
>> > 1 file changed, 3 insertions(+)
>> >
>> > diff --git a/mm/shmem.c b/mm/shmem.c
>> > index 185836b..5a0e344 100644
>> > --- a/mm/shmem.c
>> > +++ b/mm/shmem.c
>> > @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
>> > }
>> >
>> > /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
>> > + error = -EOVERFLOW;
>> > + if ((u64)len + offset < (u64)len)
>> > + goto out;
> Hi Sasha,
>
> It seems to me that we already do some overflow check in common path,
> do_fallocate():
>
> /* Check for wrap through zero too */
> if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
> return -EFBIG;
>
> Do we really need another check?
It looks like we actually need to fix this snippet you pasted rather than shmem_fallocate().
We can't check for ((offset + len) < 0) since both offset and length are signed integers. I'll
send a patch to deal with that rather that this shmem specific one. Thanks!
Thanks,
Sasha
next prev parent reply other threads:[~2014-12-04 2:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-04 0:24 [PATCH] mm: shmem: avoid overflowing in shmem_fallocate Sasha Levin
2014-12-04 0:24 ` Sasha Levin
2014-12-04 1:51 ` Naoya Horiguchi
2014-12-04 1:51 ` Naoya Horiguchi
2014-12-04 2:33 ` Sasha Levin [this message]
2014-12-04 2:33 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=547FC807.6040000@oracle.com \
--to=sasha.levin@oracle.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=n-horiguchi@ah.jp.nec.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.