linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Hyunwoo Kim <imv4bel@gmail.com>
To: tim@cyberelk.net, axboe@kernel.dk
Cc: linux-block@vger.kernel.org
Subject: [PATCH] paride: Fixed integer overflow in pt_read and pt_write
Date: Sun, 26 Jun 2022 04:02:39 -0700	[thread overview]
Message-ID: <20220626110239.GA58252@ubuntu> (raw)

In pt_read() and pt_write(), the "size_t count" variable is
assigned to the "int n" variable and then size check is performed.

static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
{
	...
        int k, n, r, p, s, t, b;

	...

        while (count > 0) {

                if (!pt_poll_dsc(tape, HZ / 100, PT_TMO, "write"))
                        return -EIO;

                n = count;
                if (n > 32768)
                        n = 32768;      /* max per command */

If the user passes the SIZE_MAX value to the "count" variable,
the "n" value is greater than 32768, but it becomes a negative
number and passes the size check.
In other words, we need to add a negative check as well,
since the size check makes no sense.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
 drivers/block/paride/pt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c
index e815312a00ad..f37aa1349622 100644
--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -787,7 +787,7 @@ static ssize_t pt_read(struct file *filp, char __user *buf, size_t count, loff_t
 			return -EIO;
 
 		n = count;
-		if (n > 32768)
+		if (n > 32768 || n < 0)
 			n = 32768;	/* max per command */
 		b = (n - 1 + tape->bs) / tape->bs;
 		n = b * tape->bs;	/* rounded up to even block */
@@ -888,7 +888,7 @@ static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count,
 			return -EIO;
 
 		n = count;
-		if (n > 32768)
+		if (n > 32768 || n < 0)
 			n = 32768;	/* max per command */
 		b = (n - 1 + tape->bs) / tape->bs;
 		n = b * tape->bs;	/* rounded up to even block */
-- 
2.25.1

Dear all,

I submitted this patch a week ago.

Can I get feedback on this patch?

Regards,
Hyunwoo Kim.

             reply	other threads:[~2022-06-26 11:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-26 11:02 Hyunwoo Kim [this message]
  -- strict thread matches above, loose matches on Subject: below --
2022-06-19  3:40 [PATCH] paride: Fixed integer overflow in pt_read and pt_write Hyunwoo Kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220626110239.GA58252@ubuntu \
    --to=imv4bel@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=linux-block@vger.kernel.org \
    --cc=tim@cyberelk.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).