lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 15 Apr 2011 12:53:04 -0400
From:	Paul Gortmaker <paul.gortmaker@...driver.com>
To:	Greg KH <gregkh@...e.de>
CC:	linux-kernel@...r.kernel.org, stable@...nel.org,
	Andy Grover <andy.grover@...cle.com>,
	"David S. Miller" <davem@...emloft.net>, akpm@...ux-foundation.org,
	torvalds@...ux-foundation.org, stable-review@...nel.org,
	alan@...rguk.ukuu.org.uk
Subject: Re: [stable] [74/74] net: fix rds_iovec page count overflow

On 11-04-13 11:51 AM, Greg KH wrote:
> 2.6.32-longterm review patch.  If anyone has any objections, please let us know.
> 
> ------------------
> 
> From: Linus Torvalds <torvalds@...ux-foundation.org>
> 
> commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream.
> 
> As reported by Thomas Pollet, the rdma page counting can overflow.  We
> get the rdma sizes in 64-bit unsigned entities, but then limit it to
> UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
> an unaligned address).
> 
> So each individual page count fits comfortably in an 'unsigned int' (not
> even close to overflowing into signed), but as they are added up, they
> might end up resulting in a signed return value. Which would be wrong.
> 
> Catch the case of tot_pages turning negative, and return the appropriate
> error code.
> 
> Reported-by: Thomas Pollet <thomas.pollet@...il.com>
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Signed-off-by: Andy Grover <andy.grover@...cle.com>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
> 
> ---
>  net/rds/rdma.c |    8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> --- a/net/rds/rdma.c
> +++ b/net/rds/rdma.c
> @@ -473,6 +473,14 @@ static struct rds_rdma_op *rds_rdma_prep
>  
>  		max_pages = max(nr, max_pages);
>  		nr_pages += nr;
> +
> +		/*
> +		 * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
> +		 * so tot_pages cannot overflow without first going negative.
> +		 */
> +		if ((int)nr_pages < 0)

Sorry if this doesn't make the review cutoff; just noticed it now.

A cosmetic note -- I think the comment no longer matches the code for
the backport, in that it is now misleading, and should instead be:

	* nr for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
	* so nr_pages cannot overflow without first going negative.

For context, the original upstream was:

                tot_pages += nr_pages;
+
+               /*
+                * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
+                * so tot_pages cannot overflow without first going negative.
+                */
+               if ((int)tot_pages < 0)
+                       return -EINVAL;

Paul.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ