lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200921184921.GR6756@twin.jikos.cz>
Date:   Mon, 21 Sep 2020 20:49:21 +0200
From:   David Sterba <dsterba@...e.cz>
To:     Denis Efremov <efremov@...ux.com>
Cc:     David Sterba <dsterba@...e.com>,
        Josef Bacik <josef@...icpanda.com>, Chris Mason <clm@...com>,
        linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH 2/2] btrfs: check allocation size in btrfs_ioctl_send()

On Mon, Sep 21, 2020 at 08:03:36PM +0300, Denis Efremov wrote:
> Replace kvzalloc() call with kvcalloc() that checks
> the size internally. Use array_size() helper to compute
> the memory size for clone_sources_tmp.
> 
> Cc: Kees Cook <keescook@...omium.org>
> Signed-off-by: Denis Efremov <efremov@...ux.com>
> ---
>  fs/btrfs/send.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
> index c874ddda6252..9e02aba30651 100644
> --- a/fs/btrfs/send.c
> +++ b/fs/btrfs/send.c
> @@ -7087,7 +7087,7 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
>  	u32 i;
>  	u64 *clone_sources_tmp = NULL;
>  	int clone_sources_to_rollback = 0;
> -	unsigned alloc_size;
> +	size_t alloc_size;
>  	int sort_clone_roots = 0;
>  
>  	if (!capable(CAP_SYS_ADMIN))
> @@ -7179,15 +7179,16 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
>  	sctx->waiting_dir_moves = RB_ROOT;
>  	sctx->orphan_dirs = RB_ROOT;
>  
> -	alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1);
> -
> -	sctx->clone_roots = kvzalloc(alloc_size, GFP_KERNEL);
> +	sctx->clone_roots = kvcalloc(sizeof(*sctx->clone_roots),
> +				     arg->clone_sources_count + 1,
> +				     GFP_KERNEL);

There is an overflow check in btrfs_ioctl_send a few lines above, it
won't overflow at the allocation so this more like a cleanup than adding
a missing check, as the subject suggests.

Patches added to misc-next, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ