From: Pavel Begunkov <asml.silence@gmail.com>
To: Colin Ian King <colin.king@canonical.com>,
Jens Axboe <axboe@kernel.dk>,
io-uring@vger.kernel.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH][next] io_uring: Fix incorrect sizeof operator for copy_from_user call
Date: Tue, 15 Jun 2021 13:10:19 +0100 [thread overview]
Message-ID: <9b2b2cdf-e273-d188-b022-c821b05ce23b@gmail.com> (raw)
In-Reply-To: <067e8830-f6ec-612a-2c8a-8da459f659d1@canonical.com>
On 6/15/21 12:35 PM, Colin Ian King wrote:
> On 15/06/2021 12:30, Pavel Begunkov wrote:
>> On 6/15/21 11:47 AM, Colin Ian King wrote:
>>> On 15/06/2021 11:45, Colin King wrote:
>>>> From: Colin Ian King <colin.king@canonical.com>
>>>>
>>>> Static analysis is warning that the sizeof being used is should be
>>>> of *data->tags[i] and not data->tags[i]. Although these are the same
>>>> size on 64 bit systems it is not a portable assumption to assume
>>>> this is true for all cases.
>>>>
>>>> Addresses-Coverity: ("Sizeof not portable")
>>>> Fixes: d878c81610e1 ("io_uring: hide rsrc tag copy into generic helpers")
>>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>>> ---
>>>> fs/io_uring.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>>>> index d665c9419ad3..6b1a70449749 100644
>>>> --- a/fs/io_uring.c
>>>> +++ b/fs/io_uring.c
>>>> @@ -7231,7 +7231,7 @@ static int io_rsrc_data_alloc(struct io_ring_ctx *ctx, rsrc_put_fn *do_put,
>>>> ret = -EFAULT;
>>>> for (i = 0; i < nr; i++) {
>>>> if (copy_from_user(io_get_tag_slot(data, i), &utags[i],
>>>> - sizeof(data->tags[i])))
>>>> + sizeof(*data->tags[i])))
>>>> goto fail;
>>>> }
>>>> }
>>>>
>>
>
>
>> Yep, thanks Colin. I think `sizeof(io_get_tag_slot(data, i))`
>> would be less confusing. Or
>>
>> u64 *tag_slot = io_get_tag_slot(data, i);
>> copy_from_user(tag_slot, ..., sizeof(*tag_slot));
>>
> BTW, Coverity is complaining about:
>
> 7220 return -ENOMEM;
>
> Wrong sizeof argument (SIZEOF_MISMATCH)
>
> suspicious_sizeof: Passing argument nr * 8UL /* sizeof
> (data->tags[0][0]) */ to function io_alloc_page_table and then casting
> the return value to u64 ** is suspicious.
>
> 7221 data->tags = (u64 **)io_alloc_page_table(nr *
> sizeof(data->tags[0][0]));
Ah, this one. We want it to be indexed linearly, but can't allocate
as much, so together with io_get_tag_slot() it hides two level
tables from us, providing linear indexing.
>
> Not sure if that's a false positive or not. This kind of indirection
> makes my brain melt.
So, this one should be a false positive. But agree about the
indirection, it's not the first sizeof bug you found. Any
better ideas how to push it to the type system?
I think something like below would make more sense
#define copy_from_user_typed(from, to) \
assert(typeof(from) == typeof(to)),
copy_from_user(from, to, sizeof(*from));
--
Pavel Begunkov
prev parent reply other threads:[~2021-06-15 12:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-15 10:45 [PATCH][next] io_uring: Fix incorrect sizeof operator for copy_from_user call Colin King
2021-06-15 10:47 ` Colin Ian King
2021-06-15 11:30 ` Pavel Begunkov
2021-06-15 11:35 ` Colin Ian King
2021-06-15 12:10 ` Pavel Begunkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b2b2cdf-e273-d188-b022-c821b05ce23b@gmail.com \
--to=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=colin.king@canonical.com \
--cc=io-uring@vger.kernel.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.