* [PATCH 1/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()
@ 2013-12-30 7:29 Wenliang Fan
[not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Wenliang Fan @ 2013-12-30 7:29 UTC (permalink / raw)
To: slava-yeENwD64cLxBDgjK7y7TUQ, konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg
Cc: akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA, Wenliang Fan
Check before entering into cycle.
The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
pos += n;
Signed-off-by: Wenliang Fan <fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
fs/nilfs2/ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index b44bdb2..a260a98 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -65,6 +65,8 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
ret = 0;
total = 0;
pos = argv->v_index;
+ if (pos > ULONG_MAX - argv->v_nmembs)
+ return -EINVAL;
for (i = 0; i < argv->v_nmembs; i += n) {
n = (argv->v_nmembs - i < maxmembs) ?
argv->v_nmembs - i : maxmembs;
--
1.8.5.rc1.28.g7061504
--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()
[not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2013-12-30 7:29 ` Wenliang Fan
2013-12-30 9:29 ` [PATCH 1/2] " Vyacheslav Dubeyko
1 sibling, 0 replies; 3+ messages in thread
From: Wenliang Fan @ 2013-12-30 7:29 UTC (permalink / raw)
To: slava-yeENwD64cLxBDgjK7y7TUQ, konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg
Cc: akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA, Wenliang Fan
Check on every iteration.
The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
pos += n;
Signed-off-by: Wenliang Fan <fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
fs/nilfs2/ioctl.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index a260a98..1db4319 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -92,8 +92,13 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
total += nr;
if ((size_t)nr < n)
break;
- if (pos == ppos)
+ if (pos == ppos) {
+ if (pos > ULONG_MAX - n) {
+ ret = -EINVAL;
+ break;
+ }
pos += n;
+ }
}
argv->v_nmembs = total;
--
1.8.5.rc1.28.g7061504
--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()
[not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-12-30 7:29 ` [PATCH 2/2] " Wenliang Fan
@ 2013-12-30 9:29 ` Vyacheslav Dubeyko
1 sibling, 0 replies; 3+ messages in thread
From: Vyacheslav Dubeyko @ 2013-12-30 9:29 UTC (permalink / raw)
To: Wenliang Fan
Cc: konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA
On Mon, 2013-12-30 at 15:29 +0800, Wenliang Fan wrote:
> Check before entering into cycle.
>
> The local variable 'pos' comes from userspace. If a large number was
> passed, there would be an integer overflow in the following line:
> pos += n;
>
> Signed-off-by: Wenliang Fan <fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
> fs/nilfs2/ioctl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index b44bdb2..a260a98 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -65,6 +65,8 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
> ret = 0;
> total = 0;
> pos = argv->v_index;
> + if (pos > ULONG_MAX - argv->v_nmembs)
I'd prefer to use brackets during condition checking. But it is only my
preferences.
> + return -EINVAL;
I think that you have an issue in this code. It is called
__get_free_pages before your code (please, see
http://lxr.free-electrons.com/source/fs/nilfs2/ioctl.c#L60). But you
simply returns -EINVAL without free_pages() call. So, I think that it is
memory leak.
Thanks,
Vyacheslav Dubeyko.
> for (i = 0; i < argv->v_nmembs; i += n) {
> n = (argv->v_nmembs - i < maxmembs) ?
> argv->v_nmembs - i : maxmembs;
--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-12-30 9:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-30 7:29 [PATCH 1/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy() Wenliang Fan
[not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-12-30 7:29 ` [PATCH 2/2] " Wenliang Fan
2013-12-30 9:29 ` [PATCH 1/2] " Vyacheslav Dubeyko
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.