* [PATCH 0/2] Fix encode_comp_t()
@ 2021-05-15 14:06 Zheng Yejian
2021-05-15 14:06 ` [PATCH 1/2] acct: Fix accuracy loss for input value of encode_comp_t() Zheng Yejian
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Zheng Yejian @ 2021-05-15 14:06 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, rdunlap, vbabka, guohanjun, zhangjinhao2
Type conversion in encode_comp_t() may look a bit problematic.
Zheng Yejian (2):
acct: Fix accuracy loss for input value of encode_comp_t()
acct: Fix potential integer overflow in encode_comp_t()
kernel/acct.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] acct: Fix accuracy loss for input value of encode_comp_t()
2021-05-15 14:06 [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
@ 2021-05-15 14:06 ` Zheng Yejian
2021-05-15 14:06 ` [PATCH 2/2] acct: Fix potential integer overflow in encode_comp_t() Zheng Yejian
2022-11-02 3:52 ` [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
2 siblings, 0 replies; 4+ messages in thread
From: Zheng Yejian @ 2021-05-15 14:06 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, rdunlap, vbabka, guohanjun, zhangjinhao2
See calculation of ac_{u,s}time in fill_ac():
> ac->ac_utime = encode_comp_t(nsec_to_AHZ(pacct->ac_utime));
> ac->ac_stime = encode_comp_t(nsec_to_AHZ(pacct->ac_stime));
Return value of nsec_to_AHZ() is always type of 'u64', but it is
handled as type of 'unsigned long' in encode_comp_t, and accuracy
loss would happen on 32-bit platform when 'unsigned long' value
is 32-bit-width.
So 'u64' value of encode_comp_t() may look better.
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/acct.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/acct.c b/kernel/acct.c
index a64102be2bb0..9e143ed5b5d0 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -301,7 +301,7 @@ void acct_exit_ns(struct pid_namespace *ns)
}
/*
- * encode an unsigned long into a comp_t
+ * encode an u64 into a comp_t
*
* This routine has been adopted from the encode_comp_t() function in
* the kern_acct.c file of the FreeBSD operating system. The encoding
@@ -312,7 +312,7 @@ void acct_exit_ns(struct pid_namespace *ns)
#define EXPSIZE 3 /* Base 8 (3 bit) exponent. */
#define MAXFRACT ((1 << MANTSIZE) - 1) /* Maximum fractional value. */
-static comp_t encode_comp_t(unsigned long value)
+static comp_t encode_comp_t(u64 value)
{
int exp, rnd;
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] acct: Fix potential integer overflow in encode_comp_t()
2021-05-15 14:06 [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
2021-05-15 14:06 ` [PATCH 1/2] acct: Fix accuracy loss for input value of encode_comp_t() Zheng Yejian
@ 2021-05-15 14:06 ` Zheng Yejian
2022-11-02 3:52 ` [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
2 siblings, 0 replies; 4+ messages in thread
From: Zheng Yejian @ 2021-05-15 14:06 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, rdunlap, vbabka, guohanjun, zhangjinhao2
The integer overflow is descripted with following codes:
> 317 static comp_t encode_comp_t(u64 value)
> 318 {
> 319 int exp, rnd;
......
> 341 exp <<= MANTSIZE;
> 342 exp += value;
> 343 return exp;
> 344 }
Currently comp_t is defined as type of '__u16', but the
variable 'exp' is type of 'int', so overflow would happen
when variable 'exp' in line 343 is greater than 65535.
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
kernel/acct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/acct.c b/kernel/acct.c
index 9e143ed5b5d0..4182b92cf3df 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -331,6 +331,8 @@ static comp_t encode_comp_t(u64 value)
exp++;
}
+ if (exp > (((comp_t) ~0U) >> MANTSIZE))
+ return (comp_t) ~0U;
/*
* Clean it up and polish it off.
*/
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] Fix encode_comp_t()
2021-05-15 14:06 [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
2021-05-15 14:06 ` [PATCH 1/2] acct: Fix accuracy loss for input value of encode_comp_t() Zheng Yejian
2021-05-15 14:06 ` [PATCH 2/2] acct: Fix potential integer overflow in encode_comp_t() Zheng Yejian
@ 2022-11-02 3:52 ` Zheng Yejian
2 siblings, 0 replies; 4+ messages in thread
From: Zheng Yejian @ 2022-11-02 3:52 UTC (permalink / raw)
To: akpm
Cc: linux-kernel, dave, tangmeng, vbabka, mcgrof, willy,
zhangjinhao2, zhengyejian1
On Wed, 2 Nov 2022 5:36:11 +0800, Andrew Morton <akpm@linux-foundation.org> wrote:
> On Sat, 15 May 2021 22:06:29 +0800 Zheng Yejian <zhengyejian1@huawei.com> wrote:
>
> > Type conversion in encode_comp_t() may look a bit problematic.
> >
>
> It took me a while, but these patches seem OK to me. Is your May 2021
> series still all good to apply?
Yes, they are still good to apply, I have re-checked them in:
https://lore.kernel.org/lkml/20210515140631.369106-1-zhengyejian1@huawei.com/
Those problems seems existed since 1da177e4c3f4 ("Linux-2.6.12-rc2").
-- Best regards, Zheng Yejian
>
> Thanks,
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-02 3:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-15 14:06 [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
2021-05-15 14:06 ` [PATCH 1/2] acct: Fix accuracy loss for input value of encode_comp_t() Zheng Yejian
2021-05-15 14:06 ` [PATCH 2/2] acct: Fix potential integer overflow in encode_comp_t() Zheng Yejian
2022-11-02 3:52 ` [PATCH 0/2] Fix encode_comp_t() Zheng Yejian
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).