lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 02 Dec 2008 12:08:38 -0500 From: Bill Davidsen <davidsen@....com> To: Theodore Tso <tytso@....edu>, roel kluin <roel.kluin@...il.com>, davidsen@....com, adilger@....com, linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] ext3, ext4: do_split() fix loop, with obvious unsigned wrap Theodore Tso wrote: > On Mon, Dec 01, 2008 at 02:28:25PM -0500, roel kluin wrote: > >> Fix loop, with obvious unsigned wrap >> >> Signed-off-by: Roel Kluin <roel.kluin@...il.com> >> > > Um, no. Sorry, I didn't have a chance to reply earlier but this is > obviously wrong. > > Sorry, you are reading it wrong, the i values inside the loop are identical to those in the original. The value of i starts at count, and the test comes *before* the value is used inside the loop. The values of i inside the loop start at count-1 and go to zero, just as it did in the original. That's why the "i--" is there, the test is on the unincremented value range count to one, but the value inside the loop is correct (or at least is the same as the original patch). >> --- >> diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c >> index 3e5edc9..b0dcfb3 100644 >> --- a/fs/ext3/namei.c >> +++ b/fs/ext3/namei.c >> @@ -1188,7 +1188,7 @@ static struct ext3_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, >> /* Split the existing block in the middle, size-wise */ >> size = 0; >> move = 0; >> - for (i = count-1; i >= 0; i--) { >> + for (i = count; i--; ) { >> /* is more than half of this entry in 2nd half of the block? */ >> if (size + map[i].size/2 > blocksize/2) >> break; >> > > Note that i is actually **used** in the loop? So changing the > starting value of the counter without also adjusting all of the places > where i is used will cause the code to break, and in hard to find > ways... > > As I said, the values used are identical, and the code works correctly. > Given that there are two loop termination conditions, and in fact the > one in the loop is the one that actually gets used 99% of the time > (which is why we've never noticed the problem in real life), probably > the best way of handling this is to recast it not as a for loop, but > as a while loop. > > - Ted > > -- Bill Davidsen <davidsen@....com> "Woe unto the statesman who makes war without a reason that will still be valid when the war is over..." Otto von Bismark -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists