All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()
@ 2013-12-30  7:29 Wenliang Fan
       [not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Wenliang Fan @ 2013-12-30  7:29 UTC (permalink / raw)
  To: slava-yeENwD64cLxBDgjK7y7TUQ, konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg
  Cc: akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b,
	linux-nilfs-u79uwXL29TY76Z2rM5mHXA, Wenliang Fan

Check before entering into cycle.

The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
        pos += n;

Signed-off-by: Wenliang Fan <fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 fs/nilfs2/ioctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index b44bdb2..a260a98 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -65,6 +65,8 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
 	ret = 0;
 	total = 0;
 	pos = argv->v_index;
+	if (pos > ULONG_MAX - argv->v_nmembs)
+		return -EINVAL;
 	for (i = 0; i < argv->v_nmembs; i += n) {
 		n = (argv->v_nmembs - i < maxmembs) ?
 			argv->v_nmembs - i : maxmembs;
-- 
1.8.5.rc1.28.g7061504

--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()
       [not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2013-12-30  7:29   ` Wenliang Fan
  2013-12-30  9:29   ` [PATCH 1/2] " Vyacheslav Dubeyko
  1 sibling, 0 replies; 3+ messages in thread
From: Wenliang Fan @ 2013-12-30  7:29 UTC (permalink / raw)
  To: slava-yeENwD64cLxBDgjK7y7TUQ, konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg
  Cc: akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b,
	linux-nilfs-u79uwXL29TY76Z2rM5mHXA, Wenliang Fan

Check on every iteration.

The local variable 'pos' comes from userspace. If a large number was
passed, there would be an integer overflow in the following line:
        pos += n;

Signed-off-by: Wenliang Fan <fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 fs/nilfs2/ioctl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index a260a98..1db4319 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -92,8 +92,13 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
 		total += nr;
 		if ((size_t)nr < n)
 			break;
-		if (pos == ppos)
+		if (pos == ppos) {
+			if (pos > ULONG_MAX - n) {
+				ret = -EINVAL;
+				break;
+			}
 			pos += n;
+		}
 	}
 	argv->v_nmembs = total;
 
-- 
1.8.5.rc1.28.g7061504

--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy()
       [not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  2013-12-30  7:29   ` [PATCH 2/2] " Wenliang Fan
@ 2013-12-30  9:29   ` Vyacheslav Dubeyko
  1 sibling, 0 replies; 3+ messages in thread
From: Vyacheslav Dubeyko @ 2013-12-30  9:29 UTC (permalink / raw)
  To: Wenliang Fan
  Cc: konishi.ryusuke-Zyj7fXuS5i5L9jVzuh4AOg,
	akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b,
	linux-nilfs-u79uwXL29TY76Z2rM5mHXA

On Mon, 2013-12-30 at 15:29 +0800, Wenliang Fan wrote:
> Check before entering into cycle.
> 
> The local variable 'pos' comes from userspace. If a large number was
> passed, there would be an integer overflow in the following line:
>         pos += n;
> 
> Signed-off-by: Wenliang Fan <fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  fs/nilfs2/ioctl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
> index b44bdb2..a260a98 100644
> --- a/fs/nilfs2/ioctl.c
> +++ b/fs/nilfs2/ioctl.c
> @@ -65,6 +65,8 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
>  	ret = 0;
>  	total = 0;
>  	pos = argv->v_index;
> +	if (pos > ULONG_MAX - argv->v_nmembs)

I'd prefer to use brackets during condition checking. But it is only my
preferences.

> +		return -EINVAL;

I think that you have an issue in this code. It is called
__get_free_pages before your code (please, see
http://lxr.free-electrons.com/source/fs/nilfs2/ioctl.c#L60). But you
simply returns -EINVAL without free_pages() call. So, I think that it is
memory leak.

Thanks,
Vyacheslav Dubeyko.

>  	for (i = 0; i < argv->v_nmembs; i += n) {
>  		n = (argv->v_nmembs - i < maxmembs) ?
>  			argv->v_nmembs - i : maxmembs;


--
To unsubscribe from this list: send the line "unsubscribe linux-nilfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-12-30  9:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-30  7:29 [PATCH 1/2] fs/nilfs2: Integer overflow in nilfs_ioctl_wrap_copy() Wenliang Fan
     [not found] ` <1388388554-9513-1-git-send-email-fanwlexca-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-12-30  7:29   ` [PATCH 2/2] " Wenliang Fan
2013-12-30  9:29   ` [PATCH 1/2] " Vyacheslav Dubeyko

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.