From: Jiri Slaby <jslaby@suse.cz>
To: Ben Hutchings <ben@decadent.org.uk>, stable@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 2.6.32-4.0] sg_start_req(): make sure that there's not too many elements in iovec
Date: Mon, 3 Aug 2015 11:56:58 +0200 [thread overview]
Message-ID: <55BF3AEA.3030104@suse.cz> (raw)
In-Reply-To: <1438449959.3225.18.camel@decadent.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/01/2015, 07:25 PM, Ben Hutchings wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
>
> commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
>
> unfortunately, allowing an arbitrary 16bit value means a
> possibility of overflow in the calculation of total number of pages
> in bio_map_user_iov() - we rely on there being no more than
> PAGE_SIZE members of sum in the first loop there. If that sum
> wraps around, we end up allocating too small array of pointers to
> pages and it's easy to overflow it in the second loop.
>
> X-Coverup: TINC (and there's no lumber cartel either)
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [bwh:
> s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
> fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't
> have that function.] Signed-off-by: Ben Hutchings
> <ben@decadent.org.uk> --- It looks like this bug was introduced in
> 2.6.28 by commit 10db10d144c0 ("sg: convert the indirect IO path to
> use the block layer"), so the fix is needed for all stable
> branches.
Thanks, now applied to 3.12.
- --
js
suse labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVvzroAAoJEL0lsQQGtHBJYwcP/0/o5VbbC8kuAsnOVWBfhZ6k
6MmD4ubR6A39OR12Uj4AsoFR/0FsNCmoU5F74JCTJZENkmcn9VTg6VPmMmDh6QtR
6iGnIMD3zhZK1Z4Cj+6vmbnFHUMmsvwcIr+l3BV5GFT/cpxslgOzCwERmIpT0KuC
C1akB2hnC0LfQumy2g8PLYZB1XHYGJ4JPBRFpTGvVau/BzU8yutXY4XAzKa3WWmY
oCAKR4A6LV5uBgy7WFJbBFxaPRp8tpS8+be1TQvV1A+DzwStv/ckvfWW4TOBFIec
qFxxPsGjiVB+Et44tBIhqSLmcRCxYTGUKueeIhN32K+KVm3R9ag/XH+EVHAeMACw
2QZBRB20gGDMimhEFx50qcfJAuLQyug2pCMwGvWJ/3IRc0ovm3rm1jnFyXBd9f3f
Nz3TS5dp/wJ6uAQ5DQXypXB2pSWG6D6Pu5dS5ixCoCHCeip54NlYNt2LU/2dh6A/
j4iphf+DeXl/v+5ej9lLEgz/FsU742jXSBnZ4k9ubH2ktzLGYNI90Y3s+1RuuHGy
d9yyIeq8KGdxMJj7kw6N1x0mOSunAS7xjzPzzP5ZkwKnqIUTQlePbOnl3HFQBs3V
FhElv7BMK0jfkpi1tYxSKOwCqJlSPHAFjOigw/uKRfFTETFBEE02ejmJhF7iu7mT
a2iFj8Ur6z/i7WoK1HGQ
=Pg4U
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-08-03 9:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-01 17:25 [PATCH 2.6.32-4.0] sg_start_req(): make sure that there's not too many elements in iovec Ben Hutchings
2015-08-01 17:33 ` Willy Tarreau
2015-08-03 9:56 ` Jiri Slaby [this message]
2015-08-10 9:26 ` Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55BF3AEA.3030104@suse.cz \
--to=jslaby@suse.cz \
--cc=ben@decadent.org.uk \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.