* Re: [PATCH] scsi: int overflow in st_ioctl()
[not found] <1387291383-25126-1-git-send-email-xuyongjiande@gmail.com>
@ 2013-12-17 17:53 ` "Kai Mäkisara (Kolumbus)"
2013-12-18 4:00 ` Yu Chen
0 siblings, 1 reply; 2+ messages in thread
From: "Kai Mäkisara (Kolumbus)" @ 2013-12-17 17:53 UTC (permalink / raw)
To: xuyongjiande; +Cc: James E.J. Bottomley, linux-kernel, linux-scsi
On 17.12.2013, at 16.43, Yongjian Xu xuyongjiande@gmail.com wrote:
> From: Yongjian Xu <xuyongjiande@gmail.com>
>
> mtc.mt_count comes from user-space.
> int overflow may occur:
> mtc.mt_count++;
> mtc.mt_count—;
I agree that this is a problem. However, it seems that there is also another problem: the SPACE command uses a 24-bit count field and this overflows far below INT_MAX. Should the count in MTFSF etc. be limited to (2<<24-2)? This would make the checks you suggest unnecessary. (-2 so that the behavior does not depend on whether we are at file mark or not.)
I am a bit hesitant with this suggestion because someone may use count INT_MAX to space to the end of the tape. This probably succeeds now but after the fix it would return an error.
Thanks,
Kai
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] scsi: int overflow in st_ioctl()
2013-12-17 17:53 ` [PATCH] scsi: int overflow in st_ioctl() "Kai Mäkisara (Kolumbus)"
@ 2013-12-18 4:00 ` Yu Chen
0 siblings, 0 replies; 2+ messages in thread
From: Yu Chen @ 2013-12-18 4:00 UTC (permalink / raw)
To: Kai Mäkisara (Kolumbus)
Cc: 徐永健, James E.J. Bottomley, linux-kernel,
linux-scsi
Because the local variable of st_int_ioctl function, such as long ltmp
be assigned by arg.
I think we should limit the parameter arg of st_int_ioctl function to
the range of 24-bit signed integer.
Yong Jianxu, please update your patch.
2013/12/18 "Kai Mäkisara (Kolumbus)" <kai.makisara@kolumbus.fi>:
> On 17.12.2013, at 16.43, Yongjian Xu xuyongjiande@gmail.com wrote:
>
>> From: Yongjian Xu <xuyongjiande@gmail.com>
>>
>> mtc.mt_count comes from user-space.
>> int overflow may occur:
>> mtc.mt_count++;
>> mtc.mt_count—;
>
> I agree that this is a problem. However, it seems that there is also another problem: the SPACE command uses a 24-bit count field and this overflows far below INT_MAX. Should the count in MTFSF etc. be limited to (2<<24-2)? This would make the checks you suggest unnecessary. (-2 so that the behavior does not depend on whether we are at file mark or not.)
>
> I am a bit hesitant with this suggestion because someone may use count INT_MAX to space to the end of the tape. This probably succeeds now but after the fix it would return an error.
>
> Thanks,
> Kai
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Best Regards
==============================================
Yu Chen
Ph.D. Associate Professor
System Software&Software Engineering Group,
Dept. of Computer Science and Technology
Tsinghua University, Beijing 100084, P.R. China
E-Mail: mailto:yuchen@tsinghua.edu.cn chyyuu@gmail.com
==============================================
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-12-18 4:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1387291383-25126-1-git-send-email-xuyongjiande@gmail.com>
2013-12-17 17:53 ` [PATCH] scsi: int overflow in st_ioctl() "Kai Mäkisara (Kolumbus)"
2013-12-18 4:00 ` Yu Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).