| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 May 2015 02:04:31 +0300
From: Vladimir Zapolskiy <vz@...ia.com>
To: Tejun Heo <tj@...nel.org>
CC: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs: sysfs: don't pass count == 0 to bin file readers
Hello Tejun,
On 22.05.2015 01:14, Tejun Heo wrote:
> Hello,
>
> On Fri, May 22, 2015 at 12:21:16AM +0300, Vladimir Zapolskiy wrote:
>> If count == 0 bytes are requested by a reader, sysfs_kf_bin_read()
>> deliberately returns 0 without passing a potentially harmful value to
>> some externally defined underlying battr->read() function.
>>
>> However in case of (pos == size && count) the next clause always sets
>> count to 0 and this value is handed over to battr->read().
>>
>> The change intends to make obsolete (and remove later) a redundant
>> sanity check in battr->read(), if it is present, or add more
>> protection to struct bin_attribute users, who does not care about
>> input arguments.
>>
>> Signed-off-by: Vladimir Zapolskiy <vz@...ia.com>
>> ---
>> fs/sysfs/file.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
>> index 7c2867b..6c95628 100644
>> --- a/fs/sysfs/file.c
>> +++ b/fs/sysfs/file.c
>> @@ -90,7 +90,7 @@ static ssize_t sysfs_kf_bin_read(struct kernfs_open_file *of, char *buf,
>> return 0;
>>
>> if (size) {
>> - if (pos > size)
>> + if (pos >= size)
>> return 0;
>> if (pos + count > size)
>> count = size - pos;
>
> Hmmm... maybe just move that test upwards?
>
> if (!count || pos >= size)
> return 0;
>
> count = min(count, size - pos);
>
If the code block stays within if (size && count) { ... }, then !count
check is redundant (you may notice that !count check is already present
above but not shown in diff's 3 lines context), and I agree that
if (pos >= size)
return 0;
if (pos + count > size)
count = size - pos;
and
if (pos >= size)
return 0;
count = min(count, size - pos);
are equal.
But "!size" is a special case,
if (!count || pos >= size)
return 0;
seems to be incorrect in case of !size ===> (pos >= size) == true.
To the sent change I may add a replacement of "if (pos + count > size)
..." with min_t (ssize_t, count, size - pos), if you wish.
--
With best wishes,
Vladimir
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists