public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed
From: Dave Chinner <david@fromorbit.com>
To: Vivek Trivedi <t.vivek@samsung.com>
Cc: a.sahrawat@samsung.com, pankaj.m@samsung.com, xfs@oss.sgi.com
Subject: Re: [PATCH 02/11] xfsprogs: fix integer overflow in xlog_find_verify_cycle
Date: Thu, 3 Dec 2015 16:49:41 +1100	[thread overview]
Message-ID: <20151203054941.GS26718@dastard> (raw)
In-Reply-To: <1449055167-19936-3-git-send-email-t.vivek@samsung.com>

On Wed, Dec 02, 2015 at 04:49:18PM +0530, Vivek Trivedi wrote:
> Fix unintentional integer overflow in xlog_find_verify_cycle.
> Reported by coverity.
> 
> Signed-off-by: Vivek Trivedi <t.vivek@samsung.com>
> ---
>  libxlog/xfs_log_recover.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libxlog/xfs_log_recover.c b/libxlog/xfs_log_recover.c
> index ef7cf68..73f4d36 100644
> --- a/libxlog/xfs_log_recover.c
> +++ b/libxlog/xfs_log_recover.c
> @@ -254,7 +254,7 @@ xlog_find_verify_cycle(
>  	 * try a smaller size.  We need to be able to read at least
>  	 * a log sector, or we're out of luck.
>  	 */
> -	bufblks = 1 << ffs(nbblks);
> +	bufblks = (xfs_daddr_t)1 << ffs(nbblks);

Ummm, in isolation that change is technically correct, but when you
look at what bufblks contains it is clearly wrong.  nbblks is an
int, so "1 << ffs(nbblks)" should not be larger than an int.

i.e. bufblks is simply a count of blocks in the log, which by
definition cannot be more than an int (in fact, 2^31 / 2^9 is the
largest legal value it can have). Hence it can't be larger than an
int, and all the functions it is passed to expect it to be an
int...

Hence the use of xfs_daddr_t is wrong, and that's the first thing
that needs fixing....

>  	while (bufblks > log->l_logBBsize)
>  		bufblks >>= 1;
>  	while (!(bp = xlog_get_bp(log, bufblks))) {
                                       ^^^^^^^^
And given this, it's clear that coverity doesn't warn about
overflows caused by passing a 64 bit value into a 32 bit function
parameter....

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

  parent reply	other threads:[~2015-12-03  5:50 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-02 11:19 [PATCH 00/11] xfsprogs misc fixes Vivek Trivedi
2015-12-02 11:19 ` [PATCH 01/11] xfsprogs: xfs_io: fix a memory leak in imap_f Vivek Trivedi
2015-12-02 17:55   ` Eric Sandeen
2015-12-02 11:19 ` [PATCH 02/11] xfsprogs: fix integer overflow in xlog_find_verify_cycle Vivek Trivedi
2015-12-02 17:58   ` Eric Sandeen
2015-12-03  5:49   ` Dave Chinner [this message]
2015-12-02 11:19 ` [PATCH 03/11] xfsprogs: mkfs: fix unintentional integer overflow Vivek Trivedi
2015-12-03  3:34   ` Eric Sandeen
2015-12-03  5:54   ` Dave Chinner
2015-12-02 11:19 ` [PATCH 04/11] xfsprogs: xfsdb: remove unnessary checks in process_leaf_node_dir_v2_free Vivek Trivedi
2015-12-03  5:57   ` Dave Chinner
2015-12-02 11:19 ` [PATCH 05/11] xfsprogs: xfs_mdrestore: check bad read count in perform_restore Vivek Trivedi
2015-12-03  4:54   ` Eric Sandeen
2015-12-03  5:59     ` Dave Chinner
2015-12-03  6:05       ` Eric Sandeen
2015-12-02 11:19 ` [PATCH 06/11] xfsprogs: xfs_db: check null derefernce after block_to_bt Vivek Trivedi
2015-12-03  5:43   ` Eric Sandeen
2015-12-02 11:19 ` [PATCH 07/11] xfsprogs: xfs_fsr: replace sprintf with snprintf to avoid buffer overflow Vivek Trivedi
2015-12-03  5:44   ` Eric Sandeen
2015-12-03  6:07     ` Dave Chinner
2015-12-02 11:19 ` [PATCH 08/11] xfsprogs: xfs_repair: fix possible null dereference in build_ino_tree Vivek Trivedi
2015-12-03  6:19   ` Dave Chinner
2015-12-02 11:19 ` [PATCH 09/11] xfsprogs: xfs_repair: fix possible null dereference in traverse_int_dir2block Vivek Trivedi
2015-12-03  5:51   ` Eric Sandeen
2015-12-03  6:22     ` Dave Chinner
2015-12-02 11:19 ` [PATCH 10/11] xfsprogs: fix possible null pointer dereference in xfs_iformat_extents Vivek Trivedi
2015-12-03  6:31   ` Dave Chinner
2015-12-02 11:19 ` [PATCH 11/11] xfsprogs: xfs_repair: fix possible null pointer dereference in mark_standalone_inodes Vivek Trivedi
2015-12-03  6:34   ` Dave Chinner
2015-12-02 15:10 ` [PATCH 00/11] xfsprogs misc fixes Eric Sandeen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151203054941.GS26718@dastard \
    --to=david@fromorbit.com \
    --cc=a.sahrawat@samsung.com \
    --cc=pankaj.m@samsung.com \
    --cc=t.vivek@samsung.com \
    --cc=xfs@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox