[Drbd-dev] [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling.

Distributed Replicated Block Device (DRBD) development
 help / color / mirror / Atom feed

* [Drbd-dev] [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling.
@ 2022-07-23  7:59 John Sanpe
  2022-08-01 15:40 ` Christoph Böhmwalder
  0 siblings, 1 reply; 2+ messages in thread
From: John Sanpe @ 2022-07-23  7:59 UTC (permalink / raw)
  To: philipp.reisner, lars.ellenberg, christoph.boehmwalder
  Cc: John Sanpe, linux-kernel, drbd-dev

This problem occurs when malloc element failed on the first time.
At this time, the counter i is 0. When it's released, we subtract 1
in advance without checking, which will cause i to become UINT_MAX,
resulting in array overflow.

Signed-off-by: John Sanpe <sanpeqf@gmail.com>
---
 lib/lru_cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/lru_cache.c b/lib/lru_cache.c
index 52313acbfa62..04d95de92602 100644
--- a/lib/lru_cache.c
+++ b/lib/lru_cache.c
@@ -147,7 +147,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
 		return lc;

 	/* else: could not allocate all elements, give up */
-	for (i--; i; i--) {
+	while (i--) {
 		void *p = element[i];
 		kmem_cache_free(cache, p - e_off);
 	}
-- 
2.36.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Drbd-dev] [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling.
  2022-07-23  7:59 [Drbd-dev] [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling John Sanpe
@ 2022-08-01 15:40 ` Christoph Böhmwalder
  0 siblings, 0 replies; 2+ messages in thread
From: Christoph Böhmwalder @ 2022-08-01 15:40 UTC (permalink / raw)
  To: John Sanpe; +Cc: lars.ellenberg, philipp.reisner, linux-kernel, drbd-dev

Am 23.07.22 um 09:59 schrieb John Sanpe:
> This problem occurs when malloc element failed on the first time.
> At this time, the counter i is 0. When it's released, we subtract 1
> in advance without checking, which will cause i to become UINT_MAX,
> resulting in array overflow.
> 
> Signed-off-by: John Sanpe <sanpeqf@gmail.com>
> ---
>  lib/lru_cache.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/lru_cache.c b/lib/lru_cache.c
> index 52313acbfa62..04d95de92602 100644
> --- a/lib/lru_cache.c
> +++ b/lib/lru_cache.c
> @@ -147,7 +147,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
>  		return lc;
>  
>  	/* else: could not allocate all elements, give up */
> -	for (i--; i; i--) {
> +	while (i--) {
>  		void *p = element[i];
>  		kmem_cache_free(cache, p - e_off);
>  	}

Thanks for the fix, looks good to me.

Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>

-- 
Christoph Böhmwalder
LINBIT | Keeping the Digital World Running
DRBD HA —  Disaster Recovery — Software defined Storage

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-08-01 15:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-23  7:59 [Drbd-dev] [PATCH] lib/lru_cache: Fixed array overflow caused by incorrect boundary handling John Sanpe
2022-08-01 15:40 ` Christoph Böhmwalder

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox