From: Jan Harkes <jaharkes@cs.cmu.edu>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v2] fs/coda: potential buffer overflow in coda_psdev_write()
Date: Fri, 13 Jul 2018 16:16:30 +0000 [thread overview]
Message-ID: <20180713161630.olrwa2n2tnpqbmlt@cs.cmu.edu> (raw)
In-Reply-To: <20180713151017.lxbv4eljvd6olziq@kili.mountain>
On Fri, Jul 13, 2018 at 06:10:17PM +0300, Dan Carpenter wrote:
> "dcbuf" is a union that is "size" bytes large. We ensure that "nbytes"
> is large enough to hold the smallest member of the union, but the
> problem is that we might try to use a larger member. If "nbytes" is
> set to sizeof(struct coda_out_hdr) that would cause a problem in
> coda_downcall() when we try to access &out->coda_zapdir.CodaFid;
>
> The union is quite small so we can allocate enough space so everything
> fits. The CODA_ALLOC() macro calls kzalloc() which means the extra
> memory is just zeroed and it's fine.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: I forgot to update CODA_FREE() in my first patch.
You also seem to have missed my comments on your first patch. The
smallest size test is only to make sure we at least get a complete
message header.
If your concern is that a userspace client might send a CODA_ZAPDIR
downcall but doesn't actually include enough data for the message to
contain the file identifier to be zapped. I don't think this shouldn't
be papered over by just passing along some extra zero bytes.
How would we know these extra zero bytes are fine? How does the
developer implementing this broken Coda client find out that he is not
actually sending a properly formatted message and the intended cache
flush never happens?
The proper fix should be to check that we received at least enough data
to fully read the received downcall message based on the opcode in the
received message header and log/return an error if it doesn't match.
Jan
next prev parent reply other threads:[~2018-07-13 16:16 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-12 12:32 [PATCH] fs/coda: potential buffer overflow in coda_psdev_write() Dan Carpenter
2018-07-12 12:32 ` Dan Carpenter
2018-07-12 15:31 ` Jan Harkes
2018-07-12 15:31 ` Jan Harkes
2018-07-12 15:50 ` Dan Carpenter
2018-07-12 15:50 ` Dan Carpenter
2018-07-13 15:10 ` [PATCH v2] " Dan Carpenter
2018-07-13 16:16 ` Jan Harkes [this message]
2018-07-13 19:05 ` Dan Carpenter
2018-07-13 19:05 ` Dan Carpenter
2018-07-13 19:08 ` Jan Harkes
2018-07-13 19:08 ` Jan Harkes
2018-07-14 2:24 ` [PATCH v3] " Jan Harkes
2018-07-14 2:24 ` Jan Harkes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180713161630.olrwa2n2tnpqbmlt@cs.cmu.edu \
--to=jaharkes@cs.cmu.edu \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.