Re: [RFC PATCH v1 6/8] zram: avoid access beyond the zram device

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jerome Marchand <jmarchan@redhat.com>
To: Jiang Liu <liuj97@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Nitin Gupta <ngupta@vflare.org>, Minchan Kim <minchan@kernel.org>,
	Yijing Wang <wangyijing@huawei.com>,
	Jiang Liu <jiang.liu@huawei.com>,
	devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v1 6/8] zram: avoid access beyond the zram device
Date: Wed, 05 Jun 2013 10:52:48 +0200	[thread overview]
Message-ID: <51AEFC60.70107@redhat.com> (raw)
In-Reply-To: <51AE033D.8090302@gmail.com>

On 06/04/2013 05:09 PM, Jiang Liu wrote:
> On Tue 04 Jun 2013 09:15:43 PM CST, Jerome Marchand wrote:
>> On 06/03/2013 05:42 PM, Jiang Liu wrote:
>>> Function valid_io_request() should verify the entire request doesn't
>>> exceed the zram device, otherwise it will cause invalid memory access.
>>>
>>> Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
>>> ---
>>>  drivers/staging/zram/zram_drv.c | 4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>>> index 66cf28a..64b51b9 100644
>>> --- a/drivers/staging/zram/zram_drv.c
>>> +++ b/drivers/staging/zram/zram_drv.c
>>> @@ -428,6 +428,10 @@ static inline int valid_io_request(struct zram *zram, struct bio *bio)
>>>  		return 0;
>>>  	}
>>>
>>> +	if (unlikely((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>>> +		     zram->disksize))
>>> +		return 0;
>>> +
>>
>> This test make the first line of previous test redundant. Why not just
>> update it like the following:
>>
>> -		(bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
>> +		((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>> +			zram->disksize)) ||
>>
>>
>> Jerome
> Hi Jerome,
>          I think the test "bio->bi_sector >= (zram->disksize >> 
> SECTOR_SHIFT)" is still
> needed to protect "(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size" 
> from wrapping
> around.

Good point, but I don't see how this is going to catch all the possible
values that overflow. You still need an explicit overflow test
(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size < bio->bi_size), at
which point the first test would be useless.

Jerome

> Regards!
> Gerry
> 
>>
>>>  	/* I/O request is valid */
>>>  	return 1;
>>>  }
>>>
>>
> 
>

next prev parent reply	other threads:[~2013-06-05  8:53 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-03 15:42 [RFC PATCH v1 0/8] small bugfixes and code improvements for zram Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 1/8] zram: simplify and optimize zram_to_dev() Jiang Liu
2013-06-04 13:09   ` Jerome Marchand
2013-06-04 14:31     ` Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 2/8] zram: avoid invalid memory access in zram_exit() Jiang Liu
2013-06-04  9:03   ` Minchan Kim
2013-06-04 14:27     ` Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 3/8] zram: use zram->lock to protect zram_free_page() in swap free notify path Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 4/8] zram: destroy all devices on error recovery path in zram_init() Jiang Liu
2013-06-04  8:49   ` Dan Carpenter
2013-06-04 14:57     ` Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 5/8] zram: avoid double free in error recovery path of zram_bvec_write() Jiang Liu
2013-06-04 13:27   ` Jerome Marchand
2013-06-03 15:42 ` [RFC PATCH v1 6/8] zram: avoid access beyond the zram device Jiang Liu
2013-06-04 13:15   ` Jerome Marchand
2013-06-04 15:09     ` Jiang Liu
2013-06-05  8:52       ` Jerome Marchand [this message]
2013-06-03 15:42 ` [RFC PATCH v1 7/8] zram: optimize memory operations with clear_page()/copy_page() Jiang Liu
2013-06-03 15:42 ` [RFC PATCH v1 8/8] zram: protect sysfs handler from invalid memory access Jiang Liu
2013-06-04  9:00 ` [RFC PATCH v1 0/8] small bugfixes and code improvements for zram Minchan Kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51AEFC60.70107@redhat.com \
    --to=jmarchan@redhat.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jiang.liu@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liuj97@gmail.com \
    --cc=minchan@kernel.org \
    --cc=ngupta@vflare.org \
    --cc=wangyijing@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox