From: Dan Carpenter <dan.carpenter@linaro.org>
To: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <sfrench@samba.org>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Tom Talpey <tom@talpey.com>,
linux-cifs@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH RESEND] ksmbd: fix integer overflows on 32 bit systems
Date: Wed, 15 Jan 2025 08:26:25 +0300 [thread overview]
Message-ID: <20f85837-68b7-404f-9284-73597feb142e@stanley.mountain> (raw)
In-Reply-To: <CAKYAXd_a=u0KKGSAe7yZy+jhtQb5Mq2ZTX=WirL7mhr3QOkTtw@mail.gmail.com>
On Wed, Jan 15, 2025 at 09:20:54AM +0900, Namjae Jeon wrote:
> On Tue, Jan 14, 2025 at 7:18 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> >
> > On Tue, Jan 14, 2025 at 04:53:18PM +0900, Namjae Jeon wrote:
> > > On Mon, Jan 13, 2025 at 3:17 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> > > >
> > > > On 32bit systems the addition operations in ipc_msg_alloc() can
> > > > potentially overflow leading to memory corruption. Fix this using
> > > > size_add() which will ensure that the invalid allocations do not succeed.
> > > You previously said that memcpy overrun does not occur due to memory
> > > allocation failure with SIZE_MAX.
> > >
> > > Would it be better to handle integer overflows as an error before
> > > memory allocation?
> >
> > I mean we could do something like the below patch but I'd prefer to fix
> > it this way.
> >
> > > And static checkers don't detect memcpy overrun by considering memory
> > > allocation failure?
> >
> > How the struct_size()/array_size() kernel hardenning works is that if
> > you pass in a too large value instead of wrapping to a small value, the
> > math results in SIZE_MAX so the allocation will fail. We already handle
> > allocation failures correctly so it's fine.
> >
> > The problem in this code is that on 32 bit systems if you chose a "sz"
> > value which is (unsigned int)-4 then the kvzalloc() allocation will
> > succeed but the buffer will be 4 bytes smaller than intended and the
> > "msg->sz = sz;" assignment will corrupt memory.
> >
> > Anyway, here is how the patch could look like with bounds checking instead
> > of size_add(). We could fancy it up a bit, but I don't like fancy math.
> Okay, There was a macro for max ipc payload size, So I have changed
> INT_MAX to KSMBD_IPC_MAX_PAYLOAD.
Nice. I didn't know. Thanks!
regards,
dan carpenter
prev parent reply other threads:[~2025-01-15 5:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-13 6:17 [PATCH RESEND] ksmbd: fix integer overflows on 32 bit systems Dan Carpenter
2025-01-14 7:53 ` Namjae Jeon
2025-01-14 10:18 ` Dan Carpenter
2025-01-15 0:20 ` Namjae Jeon
2025-01-15 5:26 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20f85837-68b7-404f-9284-73597feb142e@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=senozhatsky@chromium.org \
--cc=sfrench@samba.org \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox