From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Jordy Zomer <jordy@pwning.systems>,
"Ahmed S. Darwish" <a.darwish@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH v2] fs: make d_path-like functions all have unsigned size
Date: Tue, 27 Jul 2021 14:56:53 +0200 [thread overview]
Message-ID: <YQAClXqyLhztLcm4@kroah.com> (raw)
In-Reply-To: <YP/+g/L6+tLWjx/l@smile.fi.intel.com>
On Tue, Jul 27, 2021 at 03:39:31PM +0300, Andy Shevchenko wrote:
> On Tue, Jul 27, 2021 at 02:07:54PM +0200, Greg Kroah-Hartman wrote:
> > When running static analysis tools to find where signed values could
> > potentially wrap the family of d_path() functions turn out to trigger a
> > lot of mess. In evaluating the code, all of these usages seem safe, but
> > pointer math is involved so if a negative number is ever somehow passed
> > into these functions, memory can be traversed backwards in ways not
> > intended.
> >
> > Resolve all of the abuguity by just making "size" an unsigned value,
> > which takes the guesswork out of everything involved.
>
> Are you sure it's correct change?
>
> Look into extract_string() implementation.
>
> if (likely(p->len >= 0))
> return p->buf;
> return ERR_PTR(-ENAMETOOLONG);
>
> Your change makes it equal to
>
> return p->buf;
>
> if I'm not mistaken.
Yes it does, you are right. So now we don't need to check the wrap
there :)
So this code is explicitly wanting the value to wrap into a negative
value to check for problems, didn't expect that.
Still feels very fragile, if you look at the documentation for __d_path,
it says:
"buflen" should be positive.
and if you look at who calls it, they are all passing in an unsigned
value, seq_path_root() uses a size_t as buflen. What's the issues
involved there when size_t is a unsigned value going into a signed int?
And my mistake from earlier, size_t is the same as unsigned int, not
unsigned long.
Anyway, this code feels subtle and tricky here, such that parsing tools
warn "hey, something might be wrong here, check it out!"
I'm not set on changing prepend_buffer->len, but I will not complain if
it is, but we might want to have a different check in extract_string()
and prepend() to verify that p->len does not go bigger than
MAX_SOMETHING?
But in the end, you are right, this version of the patch is not ok, all
of the checks for len being < 0 are now moot, gotta love the fact that
gcc didn't say squat about that :(
thanks,
greg k-h
next prev parent reply other threads:[~2021-07-27 12:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-27 12:07 [PATCH v2] fs: make d_path-like functions all have unsigned size Greg Kroah-Hartman
2021-07-27 12:39 ` Andy Shevchenko
2021-07-27 12:56 ` Greg Kroah-Hartman [this message]
2021-07-27 13:14 ` Matthew Wilcox
2021-07-27 13:30 ` Greg Kroah-Hartman
2021-07-27 13:53 ` Matthew Wilcox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YQAClXqyLhztLcm4@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=a.darwish@linutronix.de \
--cc=andriy.shevchenko@linux.intel.com \
--cc=ebiggers@google.com \
--cc=jordy@pwning.systems \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox