From: wzt wzt <wzt.wzt@gmail.com>
To: Dave Chinner <david@fromorbit.com>
Cc: xfs-masters@oss.sgi.com, aelder@sgi.com,
linux-kernel@vger.kernel.org, xfs@oss.sgi.com
Subject: Re: [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c
Date: Wed, 17 Mar 2010 11:00:54 +0800 [thread overview]
Message-ID: <628d1651003162000u537790b4k697a0112375649ef@mail.gmail.com> (raw)
In-Reply-To: <20100317024101.GH12369@dastard>
Thanks for your help, i'll send a new patch soon.
On Wed, Mar 17, 2010 at 10:41 AM, Dave Chinner <david@fromorbit.com> wrote:
> On Tue, Mar 16, 2010 at 11:53:50PM +0800, wzt.wzt@gmail.com wrote:
>> STATIC int
>> xfs_compat_attrmulti_by_handle(
>> struct file *parfilp,
>> void __user *arg)
>> {
>> ...
>> if (copy_from_user(&am_hreq, arg,
>> sizeof(compat_xfs_fsop_attrmulti_handlereq_t)))
>> return -XFS_ERROR(EFAULT);
>> ...
>> error = E2BIG;
>> /* Not check the am_hreq.opcount max value from userspace,
>> m_hreq.opcount * sizeof(compat_xfs_attr_multiop_t) can make
>> integer overflow, and the if condition can be bypass. Though,
>> it can not make security problem, but fix it maybe better. */
>> size = am_hreq.opcount * sizeof(compat_xfs_attr_multiop_t);
>> if (!size || size > 16 * PAGE_SIZE)
>> goto out_dput;
>> ...
>> }
>
> This description could use a little work. ;)
>
> Perhaps something like:
>
> The am_hreq.opcount field in the xfs_attrmulti_by_handle() interface
> is not bounded correctly. The opcount is used to determine the size
> of the buffer required. The size is bounded, but can overflow and so
> the size checks may not be sufficient to catch invalid opcounts.
> Fix it by catching opcount values that would cause overflows before
> calculating the size.
>
>
>>
>> Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>
>>
>> ---
>> fs/xfs/linux-2.6/xfs_ioctl.c | 4 ++++
>> fs/xfs/linux-2.6/xfs_ioctl32.c | 4 ++++
>> 2 files changed, 8 insertions(+), 0 deletions(-)
>>
>> diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
>> index 4ea1ee1..b05b3b7 100644
>> --- a/fs/xfs/linux-2.6/xfs_ioctl.c
>> +++ b/fs/xfs/linux-2.6/xfs_ioctl.c
>> @@ -526,6 +526,10 @@ xfs_attrmulti_by_handle(
>> if (copy_from_user(&am_hreq, arg, sizeof(xfs_fsop_attrmulti_handlereq_t)))
>> return -XFS_ERROR(EFAULT);
>>
>> + /* overflow check */
>> + if (am_hreq.opcount >= INT_MAX / sizeof(xfs_attr_multiop_t))
>> + return -ENOMEM;
>> +
>
> The code currently return E2BIG for an opcount that is too large.
> I think this should also return E2BIG rather then ENOMEM. Does that
> seem reasonable?
>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> david@fromorbit.com
>
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
prev parent reply other threads:[~2010-03-17 2:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-16 15:53 [PATCH] xfs: Fix integer overflow in fs/xfs/linux-2.6/xfs_ioctl*.c wzt.wzt
2010-03-17 2:41 ` Dave Chinner
2010-03-17 3:00 ` wzt wzt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=628d1651003162000u537790b4k697a0112375649ef@mail.gmail.com \
--to=wzt.wzt@gmail.com \
--cc=aelder@sgi.com \
--cc=david@fromorbit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=xfs-masters@oss.sgi.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox