lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Sep 2021 20:45:17 +0300 From: Tariq Toukan <ttoukan.linux@...il.com> To: Eric Dumazet <eric.dumazet@...il.com>, "Gustavo A. R. Silva" <gustavoars@...nel.org>, Tariq Toukan <tariqt@...dia.com>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org> Cc: netdev@...r.kernel.org, linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH][net-next] net/mlx4: Use array_size() helper in copy_to_user() On 9/29/2021 8:21 PM, Eric Dumazet wrote: > > > On 9/29/21 3:24 AM, Tariq Toukan wrote: >> >> >> On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote: >>> Use array_size() helper instead of the open-coded version in >>> copy_to_user(). These sorts of multiplication factors need >>> to be wrapped in array_size(). >>> >>> Link: https://github.com/KSPP/linux/issues/160 >>> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org> >>> --- >>> drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c >>> index f7053a74e6a8..4d4f9cf9facb 100644 >>> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c >>> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c >>> @@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) >>> buf += PAGE_SIZE; >>> } >>> } else { >>> - err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ? >>> + err = copy_to_user((void __user *)buf, init_ents, >>> + array_size(entries, cqe_size)) ? >>> -EFAULT : 0; >>> } >>> >> >> Thanks for your patch. >> Reviewed-by: Tariq Toukan <tariqt@...dia.com> > > Not sure why avoiding size_t overflows would make this code safer. > init_ents contains PAGE_SIZE bytes... > > BTW > > Is @entries guaranteed to be a power of two ? Yes. > > This function seems to either copy one chunk ( <= PAGE_SIZE), > or a number of full pages. > Exactly. No remainder handling is needed, for the reason you mentioned above.
Powered by blists - more mailing lists