* [patch] relay: prevent integer overflow in relay_open() [not found] <4F323388.7040902@kernel.dk> @ 2012-02-09 10:44 ` Dan Carpenter 2012-02-09 11:55 ` walter harms 0 siblings, 1 reply; 3+ messages in thread From: Dan Carpenter @ 2012-02-09 10:44 UTC (permalink / raw) To: Jens Axboe; +Cc: Paul Gortmaker, Al Viro, linux-kernel, kernel-janitors "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/kernel/relay.c b/kernel/relay.c index 4335e1d..ab56a17 100644 --- a/kernel/relay.c +++ b/kernel/relay.c @@ -164,10 +164,14 @@ depopulate: */ static struct rchan_buf *relay_create_buf(struct rchan *chan) { - struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); - if (!buf) + struct rchan_buf *buf; + + if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) return NULL; + buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); + if (!buf) + return NULL; buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL); if (!buf->padding) goto free_buf; @@ -574,6 +578,8 @@ struct rchan *relay_open(const char *base_filename, if (!(subbuf_size && n_subbufs)) return NULL; + if (subbuf_size > UINT_MAX / n_subbufs) + return NULL; chan = kzalloc(sizeof(struct rchan), GFP_KERNEL); if (!chan) ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [patch] relay: prevent integer overflow in relay_open() 2012-02-09 10:44 ` [patch] relay: prevent integer overflow in relay_open() Dan Carpenter @ 2012-02-09 11:55 ` walter harms 2012-02-09 12:36 ` Dan Carpenter 0 siblings, 1 reply; 3+ messages in thread From: walter harms @ 2012-02-09 11:55 UTC (permalink / raw) To: Dan Carpenter Cc: Jens Axboe, Paul Gortmaker, Al Viro, linux-kernel, kernel-janitors Am 09.02.2012 11:44, schrieb Dan Carpenter: > "subbuf_size" and "n_subbufs" come from the user and they need to be > capped to prevent an integer overflow. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > diff --git a/kernel/relay.c b/kernel/relay.c > index 4335e1d..ab56a17 100644 > --- a/kernel/relay.c > +++ b/kernel/relay.c > @@ -164,10 +164,14 @@ depopulate: > */ > static struct rchan_buf *relay_create_buf(struct rchan *chan) > { > - struct rchan_buf *buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); > - if (!buf) > + struct rchan_buf *buf; > + > + if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) > return NULL; > > + buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); > + if (!buf) > + return NULL; > buf->padding = kmalloc(chan->n_subbufs * sizeof(size_t *), GFP_KERNEL); > if (!buf->padding) > goto free_buf; > @@ -574,6 +578,8 @@ struct rchan *relay_open(const char *base_filename, > > if (!(subbuf_size && n_subbufs)) > return NULL; > + if (subbuf_size > UINT_MAX / n_subbufs) > + return NULL; > > chan = kzalloc(sizeof(struct rchan), GFP_KERNEL); > if (!chan) > -- numerical this is ok, but ... maybe it is better to cap the chan->n_subbufs at a useful number ? The user can still allocate an insane number of bytes. Restricting subbuf_size*n_subbufs seems more logical (otherwise is this a real problem ?) re, wh ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch] relay: prevent integer overflow in relay_open() 2012-02-09 11:55 ` walter harms @ 2012-02-09 12:36 ` Dan Carpenter 0 siblings, 0 replies; 3+ messages in thread From: Dan Carpenter @ 2012-02-09 12:36 UTC (permalink / raw) To: walter harms Cc: Jens Axboe, Paul Gortmaker, Al Viro, linux-kernel, kernel-janitors [-- Attachment #1: Type: text/plain, Size: 445 bytes --] On Thu, Feb 09, 2012 at 12:55:52PM +0100, walter harms wrote: > numerical this is ok, but ... > maybe it is better to cap the chan->n_subbufs at a useful number ? We considered this question already earlier in the thread. > The user can still allocate an insane number of bytes. > Restricting subbuf_size*n_subbufs seems more logical (otherwise is this a real problem ?) > Yes. It is a real problem. regards, dan carpenter [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 836 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-02-09 12:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <4F323388.7040902@kernel.dk>
2012-02-09 10:44 ` [patch] relay: prevent integer overflow in relay_open() Dan Carpenter
2012-02-09 11:55 ` walter harms
2012-02-09 12:36 ` Dan Carpenter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox