lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 05 Jun 2013 10:52:48 +0200
From:	Jerome Marchand <jmarchan@...hat.com>
To:	Jiang Liu <liuj97@...il.com>
CC:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Nitin Gupta <ngupta@...are.org>,
	Minchan Kim <minchan@...nel.org>,
	Yijing Wang <wangyijing@...wei.com>,
	Jiang Liu <jiang.liu@...wei.com>, devel@...verdev.osuosl.org,
	linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 6/8] zram: avoid access beyond the zram device

On 06/04/2013 05:09 PM, Jiang Liu wrote:
> On Tue 04 Jun 2013 09:15:43 PM CST, Jerome Marchand wrote:
>> On 06/03/2013 05:42 PM, Jiang Liu wrote:
>>> Function valid_io_request() should verify the entire request doesn't
>>> exceed the zram device, otherwise it will cause invalid memory access.
>>>
>>> Signed-off-by: Jiang Liu <jiang.liu@...wei.com>
>>> ---
>>>  drivers/staging/zram/zram_drv.c | 4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>>> index 66cf28a..64b51b9 100644
>>> --- a/drivers/staging/zram/zram_drv.c
>>> +++ b/drivers/staging/zram/zram_drv.c
>>> @@ -428,6 +428,10 @@ static inline int valid_io_request(struct zram *zram, struct bio *bio)
>>>  		return 0;
>>>  	}
>>>
>>> +	if (unlikely((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>>> +		     zram->disksize))
>>> +		return 0;
>>> +
>>
>> This test make the first line of previous test redundant. Why not just
>> update it like the following:
>>
>> -		(bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
>> +		((bio->bi_sector << SECTOR_SHIFT) + bio->bi_size >=
>> +			zram->disksize)) ||
>>
>>
>> Jerome
> Hi Jerome,
>          I think the test "bio->bi_sector >= (zram->disksize >> 
> SECTOR_SHIFT)" is still
> needed to protect "(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size" 
> from wrapping
> around.

Good point, but I don't see how this is going to catch all the possible
values that overflow. You still need an explicit overflow test
(bio->bi_sector << SECTOR_SHIFT) + bio->bi_size < bio->bi_size), at
which point the first test would be useless.

Jerome

> Regards!
> Gerry
> 
>>
>>>  	/* I/O request is valid */
>>>  	return 1;
>>>  }
>>>
>>
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ