From: jiangyiwen <jiangyiwen@huawei.com>
To: Tomas Bortoli <tomasbortoli@gmail.com>, <ericvh@gmail.com>,
<rminnich@sandia.gov>, <lucho@ionkov.net>,
Andrew Morton <akpm@linux-foundation.org>
Cc: <linux-kernel@vger.kernel.org>, <syzkaller@googlegroups.com>,
<v9fs-developer@lists.sourceforge.net>, <davem@davemloft.net>
Subject: Re: [V9fs-developer] [PATCH] Integer underflow in pdu_read()
Date: Wed, 11 Jul 2018 10:04:26 +0800 [thread overview]
Message-ID: <5B4565AA.6050309@huawei.com> (raw)
In-Reply-To: <20180709192651.28095-1-tomasbortoli@gmail.com>
On 2018/7/10 3:26, Tomas Bortoli wrote:
> The pdu_read() function suffers from an integer underflow.
> When pdu->offset is greater than pdu->size, the length calculation will have
> a wrong result, resulting in an out-of-bound read.
> This patch modifies also pdu_write() in the same way to prevent the same
> issue from happening there and for consistency.
I guess this case may happened only when server send wrong size to
the client and then cause size < offset, or else I think this case
will not happen. Is it right? Or other cases?
In addition, the email should also send to andrew morton, because
9p maintainer already don't maintain the project, andrew can help
merge the patch.
>
> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
> ---
> net/9p/protocol.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/net/9p/protocol.c b/net/9p/protocol.c
> index 931ea00c4fed..f1e2425f920b 100644
> --- a/net/9p/protocol.c
> +++ b/net/9p/protocol.c
> @@ -55,16 +55,20 @@ EXPORT_SYMBOL(p9stat_free);
>
> size_t pdu_read(struct p9_fcall *pdu, void *data, size_t size)
> {
> - size_t len = min(pdu->size - pdu->offset, size);
> - memcpy(data, &pdu->sdata[pdu->offset], len);
> + size_t len = pdu->offset > pdu->size ? 0 :
> + min(pdu->size - pdu->offset, size);
I suggest this add two *Tab* lens.
> + if (len != 0)
> + memcpy(data, &pdu->sdata[pdu->offset], len);
> pdu->offset += len;
> return size - len;
> }
>
> static size_t pdu_write(struct p9_fcall *pdu, const void *data, size_t size)
> {
> - size_t len = min(pdu->capacity - pdu->size, size);
> - memcpy(&pdu->sdata[pdu->size], data, len);
> + size_t len = pdu->size > pdu->capacity ? 0 :
> + min(pdu->capacity - pdu->size, size);
The same as above.
> + if (len != 0)
> + memcpy(&pdu->sdata[pdu->size], data, len);
> pdu->size += len;
> return size - len;
> }
>
next prev parent reply other threads:[~2018-07-11 2:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-09 19:26 [V9fs-developer] [PATCH] Integer underflow in pdu_read() Tomas Bortoli
2018-07-09 19:31 ` Al Viro
2018-07-09 22:14 ` Tomas Bortoli
2018-07-09 23:29 ` Dominique Martinet
2018-07-10 1:27 ` piaojun
2018-07-10 8:27 ` Tomas Bortoli
2018-07-10 11:06 ` piaojun
2018-07-10 11:16 ` piaojun
2018-07-11 2:04 ` jiangyiwen [this message]
2018-07-12 11:05 ` Tomas Bortoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5B4565AA.6050309@huawei.com \
--to=jiangyiwen@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=ericvh@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lucho@ionkov.net \
--cc=rminnich@sandia.gov \
--cc=syzkaller@googlegroups.com \
--cc=tomasbortoli@gmail.com \
--cc=v9fs-developer@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).