[patch] dm raid: pointer math issue in super

linux-raid.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] dm raid: pointer math issue in super_sync()
@ 2014-10-21 12:43 Dan Carpenter
  2014-10-21 12:48 ` Mike Snitzer
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2014-10-21 12:43 UTC (permalink / raw)
  To: Alasdair Kergon
  Cc: Mike Snitzer, dm-devel, Neil Brown, linux-raid, kernel-janitors

"sb" is a dm_raid_superblock struct pointer so the pointer math doesn't
work and we will end up corrupting memory.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index b802644..a7cb9dd 100644
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -826,7 +826,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev)
 		    test_bit(Faulty, &(rs->dev[i].rdev.flags)))
 			failed_devices |= (1ULL << i);
 
-	memset(sb + sizeof(*sb), 0, rdev->sb_size - sizeof(*sb));
+	memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
 
 	sb->magic = cpu_to_le32(DM_RAID_MAGIC);
 	sb->features = cpu_to_le32(0);	/* No features yet */

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: dm raid: pointer math issue in super_sync()
  2014-10-21 12:43 [patch] dm raid: pointer math issue in super_sync() Dan Carpenter
@ 2014-10-21 12:48 ` Mike Snitzer
  2014-10-21 12:57   ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Mike Snitzer @ 2014-10-21 12:48 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Alasdair Kergon, dm-devel, Neil Brown, linux-raid,
	kernel-janitors, Heinz Mauelshagen

On Tue, Oct 21 2014 at  8:43am -0400,
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> "sb" is a dm_raid_superblock struct pointer so the pointer math doesn't
> work and we will end up corrupting memory.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
> index b802644..a7cb9dd 100644
> --- a/drivers/md/dm-raid.c
> +++ b/drivers/md/dm-raid.c
> @@ -826,7 +826,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev)
>  		    test_bit(Faulty, &(rs->dev[i].rdev.flags)))
>  			failed_devices |= (1ULL << i);
>  
> -	memset(sb + sizeof(*sb), 0, rdev->sb_size - sizeof(*sb));
> +	memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
>  
>  	sb->magic = cpu_to_le32(DM_RAID_MAGIC);
>  	sb->features = cpu_to_le32(0);	/* No features yet */

Not following... sizeof(*sb) != sizeof(sb).  So I'm not seeing a
problem.

Nor am I seeing how you think sb + 1 is equivalent to what Heinz
intended (zero the memory following the sizeof(struct dm_raid_superblock)).

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: dm raid: pointer math issue in super_sync()
  2014-10-21 12:48 ` Mike Snitzer
@ 2014-10-21 12:57   ` Dan Carpenter
  2014-10-21 13:25     ` Mike Snitzer
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2014-10-21 12:57 UTC (permalink / raw)
  To: Mike Snitzer
  Cc: Alasdair Kergon, dm-devel, Neil Brown, linux-raid,
	kernel-janitors, Heinz Mauelshagen

On Tue, Oct 21, 2014 at 08:48:26AM -0400, Mike Snitzer wrote:
> > -	memset(sb + sizeof(*sb), 0, rdev->sb_size - sizeof(*sb));
> > +	memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
> >  
> >  	sb->magic = cpu_to_le32(DM_RAID_MAGIC);
> >  	sb->features = cpu_to_le32(0);	/* No features yet */
> 
> Not following... sizeof(*sb) != sizeof(sb).  So I'm not seeing a
> problem.
> 
> Nor am I seeing how you think sb + 1 is equivalent to what Heinz
> intended (zero the memory following the sizeof(struct dm_raid_superblock)).

It's pointer math.

sizeof(*sb) is 512.

"sb + sizeof(*sb)" is the same as (void *)sb + 512 * 512.
"sb + 1" is the same as (void *)sb + 512.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: dm raid: pointer math issue in super_sync()
  2014-10-21 12:57   ` Dan Carpenter
@ 2014-10-21 13:25     ` Mike Snitzer
  0 siblings, 0 replies; 4+ messages in thread
From: Mike Snitzer @ 2014-10-21 13:25 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Heinz Mauelshagen, kernel-janitors, linux-raid, dm-devel,
	Alasdair Kergon

On Tue, Oct 21 2014 at  8:57am -0400,
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> On Tue, Oct 21, 2014 at 08:48:26AM -0400, Mike Snitzer wrote:
> > > -	memset(sb + sizeof(*sb), 0, rdev->sb_size - sizeof(*sb));
> > > +	memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
> > >  
> > >  	sb->magic = cpu_to_le32(DM_RAID_MAGIC);
> > >  	sb->features = cpu_to_le32(0);	/* No features yet */
> > 
> > Not following... sizeof(*sb) != sizeof(sb).  So I'm not seeing a
> > problem.
> > 
> > Nor am I seeing how you think sb + 1 is equivalent to what Heinz
> > intended (zero the memory following the sizeof(struct dm_raid_superblock)).
> 
> It's pointer math.

Yes, I see that now..

> sizeof(*sb) is 512.
> 
> "sb + sizeof(*sb)" is the same as (void *)sb + 512 * 512.
> "sb + 1" is the same as (void *)sb + 512.

Actually, Heinz removed the 452 bytes of padding from struct
dm_raid_superblock, so it is more like:

sizeof(*sb) == sizeof(struct dm_raid_super_block) == 60

"sb + sizeof(*sb)" is the same as (void *)sb + 60 * 60
"sb + 1" is the same as (void *)sb + 60.

But regardless, your broader point on the math stands.  I'll get this
fixed up, thanks!

Mike

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-10-21 13:25 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-21 12:43 [patch] dm raid: pointer math issue in super_sync() Dan Carpenter
2014-10-21 12:48 ` Mike Snitzer
2014-10-21 12:57   ` Dan Carpenter
2014-10-21 13:25     ` Mike Snitzer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).