* [PATCH] paride: Fixed integer overflow in pt_read and pt_write
@ 2022-06-19 3:40 Hyunwoo Kim
0 siblings, 0 replies; 2+ messages in thread
From: Hyunwoo Kim @ 2022-06-19 3:40 UTC (permalink / raw)
To: tim, axboe, linux-block, linux-kernel
In pt_read() and pt_write(), the "size_t count" variable is
assigned to the "int n" variable and then size check is performed.
static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
{
...
int k, n, r, p, s, t, b;
...
while (count > 0) {
if (!pt_poll_dsc(tape, HZ / 100, PT_TMO, "write"))
return -EIO;
n = count;
if (n > 32768)
n = 32768; /* max per command */
If the user passes the SIZE_MAX value to the "count" variable,
the "n" value is greater than 32768, but it becomes a negative
number and passes the size check.
In other words, we need to add a negative check as well,
since the size check makes no sense.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
drivers/block/paride/pt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c
index e815312a00ad..f37aa1349622 100644
--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -787,7 +787,7 @@ static ssize_t pt_read(struct file *filp, char __user *buf, size_t count, loff_t
return -EIO;
n = count;
- if (n > 32768)
+ if (n > 32768 || n < 0)
n = 32768; /* max per command */
b = (n - 1 + tape->bs) / tape->bs;
n = b * tape->bs; /* rounded up to even block */
@@ -888,7 +888,7 @@ static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count,
return -EIO;
n = count;
- if (n > 32768)
+ if (n > 32768 || n < 0)
n = 32768; /* max per command */
b = (n - 1 + tape->bs) / tape->bs;
n = b * tape->bs; /* rounded up to even block */
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH] paride: Fixed integer overflow in pt_read and pt_write
@ 2022-06-26 11:02 Hyunwoo Kim
0 siblings, 0 replies; 2+ messages in thread
From: Hyunwoo Kim @ 2022-06-26 11:02 UTC (permalink / raw)
To: tim, axboe; +Cc: linux-block
In pt_read() and pt_write(), the "size_t count" variable is
assigned to the "int n" variable and then size check is performed.
static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
{
...
int k, n, r, p, s, t, b;
...
while (count > 0) {
if (!pt_poll_dsc(tape, HZ / 100, PT_TMO, "write"))
return -EIO;
n = count;
if (n > 32768)
n = 32768; /* max per command */
If the user passes the SIZE_MAX value to the "count" variable,
the "n" value is greater than 32768, but it becomes a negative
number and passes the size check.
In other words, we need to add a negative check as well,
since the size check makes no sense.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
drivers/block/paride/pt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/paride/pt.c b/drivers/block/paride/pt.c
index e815312a00ad..f37aa1349622 100644
--- a/drivers/block/paride/pt.c
+++ b/drivers/block/paride/pt.c
@@ -787,7 +787,7 @@ static ssize_t pt_read(struct file *filp, char __user *buf, size_t count, loff_t
return -EIO;
n = count;
- if (n > 32768)
+ if (n > 32768 || n < 0)
n = 32768; /* max per command */
b = (n - 1 + tape->bs) / tape->bs;
n = b * tape->bs; /* rounded up to even block */
@@ -888,7 +888,7 @@ static ssize_t pt_write(struct file *filp, const char __user *buf, size_t count,
return -EIO;
n = count;
- if (n > 32768)
+ if (n > 32768 || n < 0)
n = 32768; /* max per command */
b = (n - 1 + tape->bs) / tape->bs;
n = b * tape->bs; /* rounded up to even block */
--
2.25.1
Dear all,
I submitted this patch a week ago.
Can I get feedback on this patch?
Regards,
Hyunwoo Kim.
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-06-26 11:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-19 3:40 [PATCH] paride: Fixed integer overflow in pt_read and pt_write Hyunwoo Kim
2022-06-26 11:02 Hyunwoo Kim
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.