lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1403397164.2177.40.camel@dabdike.int.hansenpartnership.com> Date: Sat, 21 Jun 2014 17:32:44 -0700 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Al Viro <viro@...IV.linux.org.uk> Cc: Theodore Ts'o <tytso@....edu>, Dave Chinner <david@...morbit.com>, Jens Axboe <axboe@...com>, linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org Subject: Re: 32-bit bug in iovec iterator changes On Sun, 2014-06-22 at 01:26 +0100, Al Viro wrote: > On Sat, Jun 21, 2014 at 05:03:20PM -0700, James Bottomley wrote: > > > > Anyway, does the following alone fix the problem you are seeing? > > > > > > diff --git a/include/linux/uio.h b/include/linux/uio.h > > > index ddfdb53..dbb02d4 100644 > > > --- a/include/linux/uio.h > > > +++ b/include/linux/uio.h > > > @@ -94,7 +94,7 @@ static inline size_t iov_iter_count(struct iov_iter *i) > > > return i->count; > > > } > > > > > > -static inline void iov_iter_truncate(struct iov_iter *i, size_t count) > > > +static inline void iov_iter_truncate(struct iov_iter *i, u64 count) > > > { > > > if (i->count > count) > > > i->count = count; > > > > Al, how can that work? i->count is size_t, which is 32 bit, so we're > > going to get truncation errors. > > No, we are not. Look: > * comparison promotes both operands to u64 here, so its result is > accurate, no matter how large count is. They are compared as natural > numbers. True ... figured this out 10 seconds after sending the email. > * assignment converts count to size_t, which *would* truncate for > values that are greater than the maximal value representable by size_t. > But in that case it's by definition greater than i->count, so we do not > reach that assignment at all. OK, so what I still don't get is why isn't the compiler warning when we truncate a u64 to a u32? We should get that warning in your new code, and we should have got that warning in fs/block_dev.c where it would have pinpointed the actual problem. James -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists