| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Sep 2015 15:15:58 +0000
From: James Bottomley <jbottomley@...n.com>
To: "vkuznets@...hat.com" <vkuznets@...hat.com>
CC: "linux@...musvillemoes.dk" <linux@...musvillemoes.dk>,
"andriy.shevchenko@...ux.intel.com"
<andriy.shevchenko@...ux.intel.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"kys@...rosoft.com" <kys@...rosoft.com>
Subject: Re: [PATCH v2] lib/string_helpers.c: fix infinite loop in
string_get_size()
On Mon, 2015-09-14 at 14:57 +0200, Vitaly Kuznetsov wrote:
> Some string_get_size() calls (e.g.:
> string_get_size(1, 512, STRING_UNITS_10, ..., ...)
> string_get_size(15, 64, STRING_UNITS_10, ..., ...)
> ) result in an infinite loop. The problem is that if size is equal to
> divisor[units]/blk_size and is smaller than divisor[units] we'll end
> up with size == 0 when we start doing sf_cap calculations:
>
> For string_get_size(1, 512, STRING_UNITS_10, ..., ...) case:
> ...
> remainder = do_div(size, divisor[units]); -> size is 0, remainder is 1
> remainder *= blk_size; -> remainder is 512
> ...
> size *= blk_size; -> size is still 0
> size += remainder / divisor[units]; -> size is still 0
>
> The caller causing the issue is sd_read_capacity(), the problem was noticed
> on Hyper-V, such weird size was reported by host when scanning collides
> with device removal. This is probably a separate issue worth fixing, this
> patch is intended to prevent the library routing from infinite looping.
>
> Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com>
> ---
> lib/string_helpers.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/string_helpers.c b/lib/string_helpers.c
> index c98ae81..d0e607c 100644
> --- a/lib/string_helpers.c
> +++ b/lib/string_helpers.c
> @@ -59,7 +59,7 @@ void string_get_size(u64 size, u64 blk_size, const enum string_size_units units,
> }
>
> exp = divisor[units] / (u32)blk_size;
Add a comment here explaining to those who come after why strict greater
than is necessary. Something like:
/* size must be strictly greater than exp here to ensure
* that remainder is greater than divisor[units] coming out of the if */
> - if (size >= exp) {
> + if (size > exp) {
> remainder = do_div(size, divisor[units]);
> remainder *= blk_size;
> i++;
So when pushed, you finally found the algorithmic problem. Well done.
Acked-by: James Bottomley <JBottomley@...n.com>
James
Powered by blists - more mailing lists