lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20210723212353.896343-2-bvanassche@acm.org>
Date:   Fri, 23 Jul 2021 14:23:50 -0700
From:   Bart Van Assche <bvanassche@....org>
To:     Christoph Hellwig <hch@....de>
Cc:     Joel Becker <jlbec@...lplan.org>, linux-kernel@...r.kernel.org,
        Bodo Stroesser <bostroesser@...il.com>,
        "Martin K . Petersen" <martin.petersen@...cle.com>,
        Yanko Kaneti <yaneti@...lera.com>,
        Brendan Higgins <brendanhiggins@...gle.com>,
        Bart Van Assche <bvanassche@....org>
Subject: [PATCH 1/4] configfs: Rework the overflow check in fill_write_buffer()

Change 'if (SIMPLE_ATTR_SIZE - 1 - pos <= 0)' into
'if (pos >= SIMPLE_ATTR_SIZE - 1)'. Change the data type of 'to_copy'
from long long (loff_t) into int. Do not check whether pos < 0 since
rw_verify_area() checks this for us. As one can see on
https://lore.kernel.org/lkml/CAHk-=wjuDBQdUvaO=XaptgmvE_qeg_EuZjsUZf2vVoXPUMgAvg@mail.gmail.com/
these changes have been requested by Linus Torvalds.

Cc: Bodo Stroesser <bostroesser@...il.com>
Cc: Martin K. Petersen <martin.petersen@...cle.com>
Cc: Yanko Kaneti <yaneti@...lera.com>
Cc: Brendan Higgins <brendanhiggins@...gle.com>
Signed-off-by: Bart Van Assche <bvanassche@....org>
---
 fs/configfs/file.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/fs/configfs/file.c b/fs/configfs/file.c
index 5a0be9985bae..8121bb1b2121 100644
--- a/fs/configfs/file.c
+++ b/fs/configfs/file.c
@@ -181,8 +181,7 @@ static ssize_t configfs_bin_read_iter(struct kiocb *iocb, struct iov_iter *to)
 static int fill_write_buffer(struct configfs_buffer *buffer, loff_t pos,
 			     struct iov_iter *from)
 {
-	loff_t to_copy;
-	int copied;
+	int to_copy, copied;
 	u8 *to;
 
 	if (!buffer->page)
@@ -190,9 +189,9 @@ static int fill_write_buffer(struct configfs_buffer *buffer, loff_t pos,
 	if (!buffer->page)
 		return -ENOMEM;
 
-	to_copy = SIMPLE_ATTR_SIZE - 1 - pos;
-	if (to_copy <= 0)
+	if (pos >= SIMPLE_ATTR_SIZE - 1)
 		return 0;
+	to_copy = SIMPLE_ATTR_SIZE - 1 - pos;
 	to = buffer->page + pos;
 	copied = copy_from_iter(to, to_copy, from);
 	buffer->needs_read_fill = 1;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ