From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51F7CEB64DA for ; Thu, 22 Jun 2023 22:51:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231409AbjFVWvS (ORCPT ); Thu, 22 Jun 2023 18:51:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229747AbjFVWvR (ORCPT ); Thu, 22 Jun 2023 18:51:17 -0400 Received: from mail-qt1-f178.google.com (mail-qt1-f178.google.com [209.85.160.178]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 067361BD7 for ; Thu, 22 Jun 2023 15:50:38 -0700 (PDT) Received: by mail-qt1-f178.google.com with SMTP id d75a77b69052e-3fde1d6b1c4so1015271cf.0 for ; Thu, 22 Jun 2023 15:50:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687474237; x=1690066237; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9x9QfSSVUpTeAWdqCixUHSwi7foPPLLpLOSUdEXv8WE=; b=hyYpKB3akbEwrySEmiPVzckI7cZCMjtb/j5H83upjvVU19I+TWMhq5QlvW7UTpi6Oj WczOrKCxF14DjODwsd+FrU6QL9QbeA63fObc4WULv0odNHzph6ddVwKOQW34tHHHHCBV pSRBSV/LUwUvUidg9LTuzqgxUNY3VwAZ3Y4UCbe2w6974MRPYIRkl8g3wHHwWhxa/gUY i9NOvTFqxtkmenDt9dEr423JRAIn2UpXuG2Q/bZRM3EcsCa68abfERTlskGE9BxJSjTt vUk2Hhu78TsxgQ42UEndt7xUcm4NFX4/Vjvzq+ULTwuKgxS4b64syrIDlFdS6F/Pcs5V zsNQ== X-Gm-Message-State: AC+VfDwJnu6FikJV726ETL5AmzNnvHNNtKx42G8jlNBSQVPCeg05wzlB g7hsSgto0z5vrPww8UAKStRm X-Google-Smtp-Source: ACHHUZ5wU337FIxFIJZQbmKE670bOEaoz4yGFxNkDChOmuLZrnAXBAhPW8u4+uoVVHUQbDgFJVqDGA== X-Received: by 2002:a05:6214:20ae:b0:62f:fe87:67e9 with SMTP id 14-20020a05621420ae00b0062ffe8767e9mr21122003qvd.44.1687474237072; Thu, 22 Jun 2023 15:50:37 -0700 (PDT) Received: from localhost (pool-68-160-166-30.bstnma.fios.verizon.net. [68.160.166.30]) by smtp.gmail.com with ESMTPSA id i20-20020a0cf394000000b0063013c621fasm4263594qvk.68.2023.06.22.15.50.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jun 2023 15:50:36 -0700 (PDT) Date: Thu, 22 Jun 2023 18:50:35 -0400 From: Mike Snitzer To: Demi Marie Obenour Cc: Alasdair Kergon , dm-devel@redhat.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2 2/6] device-mapper: Avoid pointer arithmetic overflow Message-ID: References: <20230601212456.1533-1-demi@invisiblethingslab.com> <20230603145244.1538-1-demi@invisiblethingslab.com> <20230603145244.1538-3-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230603145244.1538-3-demi@invisiblethingslab.com> Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Sat, Jun 03 2023 at 10:52P -0400, Demi Marie Obenour wrote: > Especially on 32-bit systems, it is possible for the pointer arithmetic > to overflow and cause a userspace pointer to be dereferenced in the > kernel. > > Signed-off-by: Demi Marie Obenour > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable@vger.kernel.org > --- > drivers/md/dm-ioctl.c | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c > index 34fa74c6a70db8aa67aaba3f6a2fc4f38ef736bc..64e8f16d344c47057de5e2d29e3d63202197dca0 100644 > --- a/drivers/md/dm-ioctl.c > +++ b/drivers/md/dm-ioctl.c > @@ -1396,6 +1396,25 @@ static int next_target(struct dm_target_spec *last, uint32_t next, void *end, > { > static_assert(_Alignof(struct dm_target_spec) <= 8, > "struct dm_target_spec has excessive alignment requirements"); > + static_assert(offsetof(struct dm_ioctl, data) >= sizeof(struct dm_target_spec), > + "struct dm_target_spec too big"); I'm struggling to see the point for this compile-time check? Especially when you consider (on x86_64): sizeof(struct dm_target_spec) = 40 offsetof(struct dm_ioctl, data) = 305 Just feels like there is no utility offered by adding this check. SO I've dropped it. But if you feel there is some inherent value please let me know. Thanks, Mike