lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 11 Nov 2016 10:19:16 +0000
From:   Chris Wilson <chris@...is-wilson.co.uk>
To:     Tvrtko Ursulin <tursulin@...ulin.net>
Cc:     Intel-gfx@...ts.freedesktop.org,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [Intel-gfx] [PATCH 2/4] lib/scatterlist: Avoid potential
 scatterlist entry overflow

On Fri, Nov 11, 2016 at 08:50:18AM +0000, Tvrtko Ursulin wrote:
> From: Tvrtko Ursulin <tvrtko.ursulin@...el.com>
> 
> Since the scatterlist length field is an unsigned int, make
> sure that sg_alloc_table_from_pages does not overflow it while
> coallescing pages to a single entry.
> 
> v2: Drop reference to future use. Use UINT_MAX.
> 
> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@...el.com>
> Cc: Masahiro Yamada <yamada.masahiro@...ionext.com>
> Cc: linux-kernel@...r.kernel.org
> ---
>  lib/scatterlist.c | 25 +++++++++++++++++++------
>  1 file changed, 19 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/scatterlist.c b/lib/scatterlist.c
> index e05e7fc98892..de15f369b317 100644
> --- a/lib/scatterlist.c
> +++ b/lib/scatterlist.c
> @@ -394,7 +394,8 @@ int sg_alloc_table_from_pages(struct sg_table *sgt,
>  	unsigned int offset, unsigned long size,
>  	gfp_t gfp_mask)
>  {
> -	unsigned int chunks;
> +	const unsigned int max_segment = UINT_MAX;
> +	unsigned int seg_len, chunks;
>  	unsigned int i;
>  	unsigned int cur_page;
>  	int ret;
> @@ -402,9 +403,16 @@ int sg_alloc_table_from_pages(struct sg_table *sgt,
>  
>  	/* compute number of contiguous chunks */
>  	chunks = 1;
> -	for (i = 1; i < n_pages; ++i)
> -		if (page_to_pfn(pages[i]) != page_to_pfn(pages[i - 1]) + 1)
> +	seg_len = PAGE_SIZE;
> +	for (i = 1; i < n_pages; ++i) {
> +		if (seg_len >= max_segment ||
> +		    page_to_pfn(pages[i]) != page_to_pfn(pages[i - 1]) + 1) {
>  			++chunks;
> +			seg_len = PAGE_SIZE;
> +		} else {
> +			seg_len += PAGE_SIZE;
> +		}
> +	}
>  
>  	ret = sg_alloc_table(sgt, chunks, gfp_mask);
>  	if (unlikely(ret))
> @@ -413,17 +421,22 @@ int sg_alloc_table_from_pages(struct sg_table *sgt,
>  	/* merging chunks and putting them into the scatterlist */
>  	cur_page = 0;
>  	for_each_sg(sgt->sgl, s, sgt->orig_nents, i) {
> -		unsigned long chunk_size;
> +		unsigned int chunk_size;
>  		unsigned int j;
>  
>  		/* look for the end of the current chunk */
> +		seg_len = PAGE_SIZE;
>  		for (j = cur_page + 1; j < n_pages; ++j)
> -			if (page_to_pfn(pages[j]) !=
> +			if (seg_len >= max_segment ||
> +			    page_to_pfn(pages[j]) !=
>  			    page_to_pfn(pages[j - 1]) + 1)
>  				break;
> +			else
> +				seg_len += PAGE_SIZE;
>  
>  		chunk_size = ((j - cur_page) << PAGE_SHIFT) - offset;

chunk_size = seg_len - offset;
?

> -		sg_set_page(s, pages[cur_page], min(size, chunk_size), offset);
> +		sg_set_page(s, pages[cur_page],
> +			    min_t(unsigned long, size, chunk_size), offset);
>  		size -= chunk_size;
>  		offset = 0;
>  		cur_page = j;

Could BUG_ON(size); afterwards and BUG_ON(!size) inside? Although that
requires the caller didn't make a mistake in n_pages vs offset+size.

Minor comments,
Reviewed-by: Chris Wilson <chris@...is-wilson.co.uk>
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ