lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20140430120001.b4b95061ac7252a976b8a179@linux-foundation.org>
Date:	Wed, 30 Apr 2014 12:00:01 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Rik van Riel <riel@...hat.com>
Cc:	Michal Hocko <mhocko@...e.cz>,
	Masayoshi Mizuma <m.mizuma@...fujitsu.com>,
	linux-kernel@...r.kernel.org, linux-mm@...ck.org,
	sandeen@...hat.com, jweiner@...hat.com,
	kosaki.motohiro@...fujitsu.com, fengguang.wu@...el.com,
	mpatlasov@...allels.com, Motohiro.Kosaki@...fujitsu.com
Subject: Re: [PATCH v3] mm,writeback: fix divide by zero in
 pos_ratio_polynom

On Wed, 30 Apr 2014 10:41:14 -0400 Rik van Riel <riel@...hat.com> wrote:

> It is possible for "limit - setpoint + 1" to equal zero, leading to a
> divide by zero error. Blindly adding 1 to "limit - setpoint" is not
> working, so we need to actually test the divisor before calling div64.
> 
> ...
>
> --- a/mm/page-writeback.c
> +++ b/mm/page-writeback.c
> @@ -598,10 +598,15 @@ static inline long long pos_ratio_polynom(unsigned long setpoint,
>  					  unsigned long limit)
>  {
>  	long long pos_ratio;
> +	long divisor;
>  	long x;
>  
> +	divisor = limit - setpoint;
> +	if (!(s32)divisor)
> +		divisor = 1;	/* Avoid div-by-zero */
> +
>  	x = div_s64(((s64)setpoint - (s64)dirty) << RATELIMIT_CALC_SHIFT,
> -		    limit - setpoint + 1);
> +		    (s32)divisor);

Doesn't this just paper over the bug one time in four billion?  The
other 3999999999 times, pos_ratio_polynom() returns an incorect result?

If it is indeed the case that pos_ratio_polynom() callers are
legitimately passing a setpoint which is more than 2^32 less than limit
then it would be better to handle that input correctly.

Writing a new suite of div functions sounds overkillish.  At some loss
of precision could we do something like

	if (divisor > 2^32) {
		divisor >>= log2(divisor) - 32;
		dividend >>= log2(divisor) - 32;
	}
	x = div(dividend, divisor);

?

And let's uninline the sorry thing while we're in there ;)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ