From: Mike Christie <mchristi@redhat.com>
To: lixiubo@cmss.chinamobile.com, nab@linux-iscsi.org
Cc: bryantly@linux.vnet.ibm.com, linux-scsi@vger.kernel.org,
target-devel@vger.kernel.org
Subject: Re: [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy
Date: Wed, 12 Jul 2017 12:36:30 -0500 [thread overview]
Message-ID: <59665E1E.5040900@redhat.com> (raw)
In-Reply-To: <1499845877-18931-1-git-send-email-lixiubo@cmss.chinamobile.com>
On 07/12/2017 02:51 AM, lixiubo@cmss.chinamobile.com wrote:
> From: Xiubo Li <lixiubo@cmss.chinamobile.com>
>
> For most case the sg->length equals to PAGE_SIZE, so this bug won't
> be triggered. Otherwise this will crash the kernel, for example when
> all segments' sg->length equal to 1K.
>
> Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
> ---
> drivers/target/target_core_user.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 8bf0823..9030c2a 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -590,8 +590,6 @@ static int scatter_data_area(struct tcmu_dev *udev,
> block_remaining);
> to_offset = get_block_offset_user(udev, dbi,
> block_remaining);
> - offset = DATA_BLOCK_SIZE - block_remaining;
> - to += offset;
>
> if (*iov_cnt != 0 &&
> to_offset == iov_tail(*iov)) {
> @@ -602,8 +600,10 @@ static int scatter_data_area(struct tcmu_dev *udev,
> (*iov)->iov_len = copy_bytes;
> }
> if (copy_data) {
> - memcpy(to, from + sg->length - sg_remaining,
> - copy_bytes);
> + offset = DATA_BLOCK_SIZE - block_remaining;
> + memcpy(to + offset,
> + from + sg->length - sg_remaining,
> + copy_bytes);
> tcmu_flush_dcache_range(to, copy_bytes);
> }
> sg_remaining -= copy_bytes;
> @@ -664,9 +664,8 @@ static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd,
> copy_bytes = min_t(size_t, sg_remaining,
> block_remaining);
> offset = DATA_BLOCK_SIZE - block_remaining;
> - from += offset;
> tcmu_flush_dcache_range(from, copy_bytes);
> - memcpy(to + sg->length - sg_remaining, from,
> + memcpy(to + sg->length - sg_remaining, from + offset,
> copy_bytes);
>
> sg_remaining -= copy_bytes;
>
Nice.
Reviewed-by: Mike Christie <mchristi@redhat.com>
next prev parent reply other threads:[~2017-07-12 17:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 7:51 [PATCH] tcmu: Fix possible to/from address overflow when doing the memcpy lixiubo
2017-07-12 17:36 ` Mike Christie [this message]
2017-07-30 22:13 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59665E1E.5040900@redhat.com \
--to=mchristi@redhat.com \
--cc=bryantly@linux.vnet.ibm.com \
--cc=linux-scsi@vger.kernel.org \
--cc=lixiubo@cmss.chinamobile.com \
--cc=nab@linux-iscsi.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).