| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YJvV3jsotDj5COKe@localhost.localdomain>
Date: Wed, 12 May 2021 16:19:26 +0300
From: Alexey Dobriyan <adobriyan@...il.com>
To: Marcelo Henrique Cerri <marcelo.cerri@...onical.com>
Cc: linux-fsdevel@...r.kernel.org, David Disseldorp <ddiss@...e.de>,
Thadeu Lima de Souza Cascardo <cascardo@...onical.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Christian Brauner <christian.brauner@...ntu.com>,
Michel Lespinasse <walken@...gle.com>,
Helge Deller <deller@....de>, Oleg Nesterov <oleg@...hat.com>,
Lorenzo Stoakes <lstoakes@...il.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] proc: Avoid mixing integer types in mem_rw()
On Wed, May 12, 2021 at 09:52:12AM -0300, Marcelo Henrique Cerri wrote:
> Use size_t when capping the count argument received by mem_rw(). Since
> count is size_t, using min_t(int, ...) can lead to a negative value
> that will later be passed to access_remote_vm(), which can cause
> unexpected behavior.
>
> Since we are capping the value to at maximum PAGE_SIZE, the conversion
> from size_t to int when passing it to access_remote_vm() as "len"
> shouldn't be a problem.
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -854,7 +854,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
> flags = FOLL_FORCE | (write ? FOLL_WRITE : 0);
>
> while (count > 0) {
> - int this_len = min_t(int, count, PAGE_SIZE);
> + size_t this_len = min_t(size_t, count, PAGE_SIZE);
As much as I don't like signed integers, VFS caps read/write lengths
at INT_MAX & PAGE_MASK, so casting doesn't change values.
Powered by blists - more mailing lists