linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@linaro.org>
To: gerhard@heift.name
Cc: linux-btrfs@vger.kernel.org
Subject: [bug report] btrfs: new ioctl TREE_SEARCH_V2
Date: Fri, 13 Oct 2023 10:52:04 +0300	[thread overview]
Message-ID: <ce6f4bd6-9453-4ffe-ba00-cee35495e10f@moroto.mountain> (raw)

Hello Gerhard Heift,

The patch cc68a8a5a433: "btrfs: new ioctl TREE_SEARCH_V2" from Jan
30, 2014 (linux-next), leads to the following Smatch static checker
warning:

	fs/btrfs/ioctl.c:1787 btrfs_ioctl_tree_search_v2()
	warn: not copying enough bytes for '&uarg->buf_size' (8 vs 4 bytes)

fs/btrfs/ioctl.c
    1760 static noinline int btrfs_ioctl_tree_search_v2(struct inode *inode,
    1761                                                void __user *argp)
    1762 {
    1763         struct btrfs_ioctl_search_args_v2 __user *uarg = argp;
    1764         struct btrfs_ioctl_search_args_v2 args;
    1765         int ret;
    1766         size_t buf_size;
    1767         const size_t buf_limit = SZ_16M;
    1768 
    1769         if (!capable(CAP_SYS_ADMIN))
    1770                 return -EPERM;
    1771 
    1772         /* copy search header and buffer size */
    1773         if (copy_from_user(&args, uarg, sizeof(args)))
    1774                 return -EFAULT;
    1775 
    1776         buf_size = args.buf_size;
    1777 
    1778         /* limit result size to 16MB */
    1779         if (buf_size > buf_limit)
    1780                 buf_size = buf_limit;
    1781 
    1782         ret = search_ioctl(inode, &args.key, &buf_size,
    1783                            (char __user *)(&uarg->buf[0]));
    1784         if (ret == 0 && copy_to_user(&uarg->key, &args.key, sizeof(args.key)))
    1785                 ret = -EFAULT;
    1786         else if (ret == -EOVERFLOW &&
--> 1787                 copy_to_user(&uarg->buf_size, &buf_size, sizeof(buf_size)))

uarg->buf_size is a u64 but we are copying sizeof(unsigned long) bytes
so on 32 bit systems that's not enough.  It probably works fine on
little endian 32 bit systems, but on big endian 32 bit systems it won't.

    1788                 ret = -EFAULT;
    1789 
    1790         return ret;
    1791 }

regards,
dan carpenter

             reply	other threads:[~2023-10-13  7:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-13  7:52 Dan Carpenter [this message]
2023-10-13  9:07 ` [bug report] btrfs: new ioctl TREE_SEARCH_V2 Filipe Manana

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ce6f4bd6-9453-4ffe-ba00-cee35495e10f@moroto.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=gerhard@heift.name \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).