From: Stephen Lord <lord@sgi.com>
To: Yichen Xie <yxie@cs.stanford.edu>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
mc@cs.stanford.edu
Subject: Re: [CHECKER] 87 potential array bounds error/buffer overruns in 2.5.53
Date: 28 Jan 2003 07:16:49 -0600 [thread overview]
Message-ID: <1043759811.1374.7.camel@localhost.localdomain> (raw)
In-Reply-To: <000001c2c5a4$5c4465d0$09830c80@stanfordja31z2>
On Sun, 2003-01-26 at 19:35, Yichen Xie wrote:
> Hi all,
>
> Attached are 87 potential buffer overruns in 2.5.53. Most arise from
> improper bounds checks, and some might be security holes where the array
> index comes from an untrusted source (e.g. copy_from_user). In the bug
> report, "len" refers to the length of the array or buffer being
> accessed, and "off" refers to the offset/index that is being used to
> access it. (off >= len) corresponds to a buffer overrun, while (off < 0)
> signals an underrun.
>
> As always, confirmations and comments will be appreciated.
>
> Yichen
>
> [BUG] what if level < 0?
> /home/yxie/linux-2.5.53/fs/xfs/xfs_bmap_btree.c:1364:xfs_bmbt_lshift:
> ERROR:BUFFER:1364:1364:Array bounds error (off < 0)
> ((*cur).bc_ptrs[level], max(off) = -1)
> }
> if ((error = xfs_bmbt_updkey(cur, rkp, level + 1))) {
> XFS_BMBT_TRACE_CURSOR(cur, ERROR);
> return error;
> }
>
> Error --->
> cur->bc_ptrs[level]--;
> XFS_BMBT_TRACE_CURSOR(cur, EXIT);
> *stat = 1;
> return 0;
Hi,
I took a look at the callers of this code, level is always being passed
in as 0 or greater. Looking at it, we should really be using an unsigned
int for this variable.
Interesting that this is the only one in the file which showed up, there
are lots of array dereferences using level as the index in this file.
Steve
next prev parent reply other threads:[~2003-01-28 13:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-27 1:35 [CHECKER] 87 potential array bounds error/buffer overruns in 2.5.53 Yichen Xie
2003-01-28 7:39 ` Randy.Dunlap
2003-01-28 9:21 ` Yichen Xie
2003-01-28 17:14 ` Randy.Dunlap
2003-01-28 13:16 ` Stephen Lord [this message]
2003-01-30 19:03 ` Randy.Dunlap
2003-01-30 20:08 ` Andreas Henriksson
-- strict thread matches above, loose matches on Subject: below --
2003-01-28 18:28 David Brownell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1043759811.1374.7.camel@localhost.localdomain \
--to=lord@sgi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=yxie@cs.stanford.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox