| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <05a7b524-aee2-fd1d-e342-b85f355adb82@gmail.com>
Date: Tue, 19 Jan 2021 19:39:23 +0100
From: Bodo Stroesser <bostroesser@...il.com>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: Douglas Gilbert <dgilbert@...erlog.com>,
linux-scsi@...r.kernel.org, linux-block@...r.kernel.org,
target-devel@...r.kernel.org, linux-rdma@...r.kernel.org,
linux-kernel@...r.kernel.org, martin.petersen@...cle.com,
jejb@...ux.vnet.ibm.com, ddiss@...e.de, bvanassche@....org
Subject: Re: [PATCH v6 1/4] sgl_alloc_order: remove 4 GiB limit, sgl_free()
warning
On 19.01.21 19:17, Jason Gunthorpe wrote:
> On Tue, Jan 19, 2021 at 07:08:32PM +0100, Bodo Stroesser wrote:
>> On 19.01.21 19:03, Jason Gunthorpe wrote:
>>> On Tue, Jan 19, 2021 at 06:24:49PM +0100, Bodo Stroesser wrote:
>>>>
>>>> I had a second look into math.h, but I don't find any reason why round_up
>>>> could overflow. Can you give a hint please?
>>>
>>> #define round_up(x, y) ((((x)-1) | __round_mask(x, y))+1)
>>> ^^^^^
>>>
>>> That +1 can overflow
>>
>> But that would be a unsigned long long overflow. I considered this to
>> not be relevant.
>
> Why not? It still makes nents 0 and still causes a bad bug
>
Generally spoken, you of course are right.
OTOH, if someone tries to allocate such big sgls, then we will run into
trouble during memory allocation even without overrun.
Anyway, if we first calculate nent and nalloc and then check with
if ((unsigned long long)nalloc << (PAGE_SHIFT + order) < length)
return NULL;
I think we would have checked against all kind of overrun in a single
step. Or am I missing something?
Bodo
Powered by blists - more mailing lists