From: Jiri Slaby <jslaby@suse.cz>
To: Ben Hutchings <ben@decadent.org.uk>, stable@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH 2.6.32-4.0] sg_start_req(): make sure that there's not too many elements in iovec
Date: Mon, 3 Aug 2015 11:56:58 +0200 [thread overview]
Message-ID: <55BF3AEA.3030104@suse.cz> (raw)
In-Reply-To: <1438449959.3225.18.camel@decadent.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/01/2015, 07:25 PM, Ben Hutchings wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
>
> commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
>
> unfortunately, allowing an arbitrary 16bit value means a
> possibility of overflow in the calculation of total number of pages
> in bio_map_user_iov() - we rely on there being no more than
> PAGE_SIZE members of sum in the first loop there. If that sum
> wraps around, we end up allocating too small array of pointers to
> pages and it's easy to overflow it in the second loop.
>
> X-Coverup: TINC (and there's no lumber cartel either)
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [bwh:
> s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
> fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't
> have that function.] Signed-off-by: Ben Hutchings
> <ben@decadent.org.uk> --- It looks like this bug was introduced in
> 2.6.28 by commit 10db10d144c0 ("sg: convert the indirect IO path to
> use the block layer"), so the fix is needed for all stable
> branches.
Thanks, now applied to 3.12.
- --
js
suse labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVvzroAAoJEL0lsQQGtHBJYwcP/0/o5VbbC8kuAsnOVWBfhZ6k
6MmD4ubR6A39OR12Uj4AsoFR/0FsNCmoU5F74JCTJZENkmcn9VTg6VPmMmDh6QtR
6iGnIMD3zhZK1Z4Cj+6vmbnFHUMmsvwcIr+l3BV5GFT/cpxslgOzCwERmIpT0KuC
C1akB2hnC0LfQumy2g8PLYZB1XHYGJ4JPBRFpTGvVau/BzU8yutXY4XAzKa3WWmY
oCAKR4A6LV5uBgy7WFJbBFxaPRp8tpS8+be1TQvV1A+DzwStv/ckvfWW4TOBFIec
qFxxPsGjiVB+Et44tBIhqSLmcRCxYTGUKueeIhN32K+KVm3R9ag/XH+EVHAeMACw
2QZBRB20gGDMimhEFx50qcfJAuLQyug2pCMwGvWJ/3IRc0ovm3rm1jnFyXBd9f3f
Nz3TS5dp/wJ6uAQ5DQXypXB2pSWG6D6Pu5dS5ixCoCHCeip54NlYNt2LU/2dh6A/
j4iphf+DeXl/v+5ej9lLEgz/FsU742jXSBnZ4k9ubH2ktzLGYNI90Y3s+1RuuHGy
d9yyIeq8KGdxMJj7kw6N1x0mOSunAS7xjzPzzP5ZkwKnqIUTQlePbOnl3HFQBs3V
FhElv7BMK0jfkpi1tYxSKOwCqJlSPHAFjOigw/uKRfFTETFBEE02ejmJhF7iu7mT
a2iFj8Ur6z/i7WoK1HGQ
=Pg4U
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-08-03 9:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-01 17:25 [PATCH 2.6.32-4.0] sg_start_req(): make sure that there's not too many elements in iovec Ben Hutchings
2015-08-01 17:33 ` Willy Tarreau
2015-08-03 9:56 ` Jiri Slaby [this message]
2015-08-10 9:26 ` Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55BF3AEA.3030104@suse.cz \
--to=jslaby@suse.cz \
--cc=ben@decadent.org.uk \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).