lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.10.1406041858170.2441@hadrien>
Date:	Wed, 4 Jun 2014 18:59:22 +0200 (CEST)
From:	Julia Lawall <julia.lawall@...6.fr>
To:	Jens Axboe <axboe@...nel.dk>
cc:	scameron@...rdog.cce.hp.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 7/10] cciss: use safer test on the result of
 find_first_zero_bit



On Wed, 4 Jun 2014, Jens Axboe wrote:

> On 06/04/2014 08:51 AM, scameron@...rdog.cce.hp.com wrote:
> >> Find_first_zero_bit considers BITS_PER_LONG bits at a time, and thus may
> >> return a larger number than the maximum position argument if that position
> >> is not a multiple of BITS_PER_LONG.
> >>
> >> The semantic match that finds this problem is as follows:
> >> (http://coccinelle.lip6.fr/)
> >>
> >> // <smpl>
> >> @@
> >> expression e1,e2,e3;
> >> statement S1,S2;
> >> @@
> >>
> >> e1 = find_first_zero_bit(e2,e3)
> >> ...
> >> if (e1
> >> - ==
> >> + >=
> >>   e3)
> >> S1 else S2
> >> // </smpl>
> >>
> >> Signed-off-by: Julia Lawall <Julia.Lawall@...6.fr>
> >>
> >> ---
> >>  drivers/block/cciss.c |    2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff -u -p a/drivers/block/cciss.c b/drivers/block/cciss.c
> >> --- a/drivers/block/cciss.c
> >> +++ b/drivers/block/cciss.c
> >> @@ -980,7 +980,7 @@ static CommandList_struct *cmd_alloc(ctl
> >>
> >>  	do {
> >>  		i = find_first_zero_bit(h->cmd_pool_bits, h->nr_cmds);
> >> -		if (i == h->nr_cmds)
> >> +		if (i >= h->nr_cmds)
> >>  			return NULL;
> >>  	} while (test_and_set_bit(i, h->cmd_pool_bits) != 0);
> >>  	c = h->cmd_pool + i;
> >
> >
> > Thanks. Ack.
> >
> > You can add
> >
> > Reviewed-by: Stephen M. Cameron <scameron@...rdog.cce.hp.com>
> >
> > to this patch if you want.
> >
> > You might consider adding "Cc: stable@...r.kernel.org" into the
> > sign-off area as well.
>
> There are two such instances in cciss.c, btw.

Actually, there seem to be three, and I didn't find the other two because
the assignment is inlined into the test.  But the patch isn't needed
anyway, because it turns out that the result never goes over the bound
value.

thanks,
julia
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ